Israeli Incident Response Report
Incident responders from Beyond Security published an interesting report (.pdf) explaining their involvement in a recent defacement of an Israeli Web site. I read the report but was surprised to not see any mention of shutting down access to the Web site upon discovering the intrusion. There was no question of compromise -- the image above shows what happened to the Web site. Consider the following excerpt from the report.
[T]he web site in question was defaced by Team Evil and action had to be taken immediately. There was no time to perform a full forensic investigation. What the attacked organization required was a real-time forensic analysis of the attack in order to contain damage and respond accordingly, with the following operational goals in mind:
1. Stop the continuing damage being inflicted as soon as possible by kicking out the attackers who were damaging the site while analysis was done.
2. Prevent further access from the attackers.
3. Determine what hole the attackers used to get in, and seal it.
While these goals are sequential, they had to be done simultaneously to be successful as the attackers were at the same time performing counter-measures and attacking back.
It was a fight between the attackers who were already in the system, and the incident response personnel on the ground with the help of the local system administrator.
"No time" for a forensic investigation? Try shutting down the Web server's switch port. It sounds like the intruders were active while the IR team worked:
While examining the second web GUI tool we noticed that there was currently a user trying to use the exploit. At this stage we no longer had a system administrator present, nor access to the attacked machine. (emphasis in original)
Again, shut down the switch port. Is this the "uptime argument?" Who needs uptime when the public is visiting a defaced Web server?
No wonder the intruders were active -- the defenders were visiting a potentially hostile Web site:
We soon located the tool on the web page... Looking at their site provided another clue.
If the victims were visiting an intruder's Web site during the incident response, that's an easy way to tip off the attackers that defense is taking place.
Finally, observe how the IR team finally tried to take control of the victim:
Left with no other alternative and the organization's approval, we used the intruders' web GUI tool to retrieve the MySQL password and used it to get into the forum database and escalate the permission of a user under our control to an administrator status (probably like the intruders themselves have done...).
Use an intruder's tool to remove the intruder? Wow.
IR is certainly a fluid experience, but I think some basic rules were violated during this scenario. Still, I'm very happy to see Beyond Security share its story. The report itself contains a ton of technical details and I highly recommend everyone read it. It's been a while since I've read anything like it.
[T]he web site in question was defaced by Team Evil and action had to be taken immediately. There was no time to perform a full forensic investigation. What the attacked organization required was a real-time forensic analysis of the attack in order to contain damage and respond accordingly, with the following operational goals in mind:
1. Stop the continuing damage being inflicted as soon as possible by kicking out the attackers who were damaging the site while analysis was done.
2. Prevent further access from the attackers.
3. Determine what hole the attackers used to get in, and seal it.
While these goals are sequential, they had to be done simultaneously to be successful as the attackers were at the same time performing counter-measures and attacking back.
It was a fight between the attackers who were already in the system, and the incident response personnel on the ground with the help of the local system administrator.
"No time" for a forensic investigation? Try shutting down the Web server's switch port. It sounds like the intruders were active while the IR team worked:
While examining the second web GUI tool we noticed that there was currently a user trying to use the exploit. At this stage we no longer had a system administrator present, nor access to the attacked machine. (emphasis in original)
Again, shut down the switch port. Is this the "uptime argument?" Who needs uptime when the public is visiting a defaced Web server?
No wonder the intruders were active -- the defenders were visiting a potentially hostile Web site:
We soon located the tool on the web page... Looking at their site provided another clue.
If the victims were visiting an intruder's Web site during the incident response, that's an easy way to tip off the attackers that defense is taking place.
Finally, observe how the IR team finally tried to take control of the victim:
Left with no other alternative and the organization's approval, we used the intruders' web GUI tool to retrieve the MySQL password and used it to get into the forum database and escalate the permission of a user under our control to an administrator status (probably like the intruders themselves have done...).
Use an intruder's tool to remove the intruder? Wow.
IR is certainly a fluid experience, but I think some basic rules were violated during this scenario. Still, I'm very happy to see Beyond Security share its story. The report itself contains a ton of technical details and I highly recommend everyone read it. It's been a while since I've read anything like it.
Comments
greets
It's apparent to me that a lot of forensics training involves some basic common sense and understanding of evidence preservation. It's not as hard as people make it out to be.
"You are right, but in this case we did not have the option of shutting anything down or, off".
Also:
"Friend, sorry, but we were under instructions to stop it. No future legal case was to be considred".
Lastly, from Gadi Evron:
"The comments you mention are still correct, but you should note that a lot of conflicting concepts in security are also correct. Non are the "absolute truth". Implementation largely depends on necessity vs. demand".
JW.
Thanks for getting feedback from the parties involved!