Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Holiday/Family Incident Response

Published: 2007-11-20
Last Updated: 2007-11-21 01:21:34 UTC
by Kevin Liston (Version: 1)
0 comment(s)

Holiday/Family Incident Response Why and How

Apologies in advance that this is Windows-centric.

Many of us are going to visiting with friends and family over the next couple of months while celebrating a number of year-end holidays.  Often, we are tapped for on-site tech-support duty in exchange for holiday treats.

Yesterday George posted a request for what's in your holiday/family incident response toolkit.  Overnight I collected the response in the hopes to present a useful and organized list.

Incident response under these conditions can be way harder than what one encounters at their day-job.  The builds are non-standard, there are rarely backups to rely on, the data are irreplaceable (personal financial data, photographs, genealogical project, etc.)  The stakes are often higher.

The response methodology is similar to what you'd run into at work:

  • Preparation
  • Detection/Identification
  • Containment/Eradication
  • Lessons Learned/Prevention

Preparation

Hopefully that was done last year when you put on AV, firewalls, and anti-spyware.  This year, the root-kit detection tools are more widely available so it's a good time to update your jump-kit and your framework

Detection/Identification

The first step is an interview with the machine user.  You should ask things like:

  • "Have you patched recently?"
  • "Is the machine running slowly?"
  • "Getting a lot of pop-ups?"

Follow the interview with an inspection to verify that the AV is present, running, and up-to-date.  Ensure that the OS is fully patched.  Peek at the hosts file.  See if there is reason to suspect that the machine is compromised before you start tearing into it.

Containment/Eradication

Should you determine that the machine has been compromised, it is time to start backing up the important files off of the machine.  The only sure approach to cleaning a system is to rebuild it.  There were many spyware/virus cleaning tools submitted, but I consider them useful only in the Identification phase to determine if the machine has been compromised.  I personally do not recommend them for reliable system cleanup.

Lessons Learned/Prevention

If the system was properly secured last time, and no ill has come of it, then congratulations.  But your work is not over.  This final stage is the most important stage in incident response.  Go over what you found in your investigation, point it out, and provide a solution.  No Anti-virus?  Put one on.  No backups?  Make one.  Firewall not enabled?  Enable it.  This is the point where you provide additional instructions, set-up an ongoing tech-support option (if you're brave/generous enough,) and suggest alternatives (say, move them from IE7 to Opera or Firefox-- which have their own issues so you have to carefully consider the consequences of that.)

The Tools

I broke the tools down into the following categories:

  • Frameworks - how one deploys the tools to the system
  • Anti-Virus
  • Anti-Spyware
  • Anti-Rootkit
  • Backup
  • System Analysis
  • Malware Analysis - a subset of System Analysis tools focused to analyzing the malware
  • Network Analysis
  • Registry Cleanup
  • Remote Support
  • Patching
  • Browser protection

CD vs. USB

How should you transport your tools to the site?  There are a lot of good arguments supporting the use of burned CDs and USB drives. 

CD pros:

  • Inexpensive
  • You can leave copies behind for them to use
  • It's hard to infect them

CD Cons:

  • Capacity - a trade-off can be made between capacity and expense by switching to DVD

USB pros:

  • Capacity
  • Flexibility - you can write to them
  • Make nice gifts

USB cons:

  • Risky, if you don't write protect them
  • Costlier than CD/DVD media

Frameworks

Of course one can simply run from the CD or USB on the live system.  In some cases this is the best first step, especially if you suspect something like a botnet running on the system.  Live incident response can quickly identify that the machine is compromised and provide you with the code that's causing the traffic right away (see below for the System Analysis tools one can use in these cases.) 

Others prefer to work from a boot-disk when analyzing a system, particularly when a root-kit is suspected.  These came in two varieties, Windows-based and Linux-based.

 In the windows-based options, people recommended:

For Linux-based options try:

Anti-Virus

These tools can be used for an initial assessment of the system.  One (or more) of these should be left installed on the system when you leave.  There are plenty of great commercial solutions.  I'm only listing free solutions today:

Anti-Spyware

Like anti-virus tools, these play a role in initial assessment of the system, and should be installed on the system when you leave it for added protection.

Anti-Rootkit

We did not have a lot of these tools last year.  They may turn up things that aren't showing up in your other scans.

The guys over at RaDaJo (RAul, DAvid and JOrge) Security Blog have an article inspired by George's post featuring Anti-Rootkit tools: http://radajo.blogspot.com/2007/11/anti-rootkit-windows-tools-searching.html.

Backups

Burning a copy of irreplaceable photos and other documents to CD/DVD is time well spent, regardless if  the system is compromised and needs to be reinstalled or not. They will likely not regret the time put into this important defense measure. Reader Robert suggests that you can avoid a lot of drag and drop effort by using Areca (http://areca.sourceforge.net/.)

System Analysis

There are a tremendous amount of little programs that can give you an eye into what is going on in the system.  These are used during the live response stage of your Holiday/Family incident response.  Hijackthis was the overwhelming favorite, followed by huge support of the Sysinternals tools.

Use of these tools can occupy a lot of your time and require a fair amount of experience.  Russ has offered a helpful write up for a Rapid Malware Response/Analysis process (http://holisticinfosec.org/publications/MalcodeAnalysisTechniquesForIH_McRee.pdf.)

Malware Analysis

These tools were offered up to take a closer look at the malware that has been found on the system.  Using these requires a larger investment of time than many people have while visiting.  But for future use, these tools might be handy to have on your own incident response toolkit.

Network Analysis

It is sometimes easier to determine if a system is compromised by looking at the network traffic leaving the system.  Especially if you're familiar with protocol analysis.  Commonly suggested tools were:

Registry Cleanup

A few tools were submitted that promise to clean up the registry and other system files to improve system performance.

Remote Support

Some brave and generous people offer remote tech support to their families.  They have recommended:

  • LogMeIn
  • PCAnywhere
  • VNC

It is not something that I would recommend or personally do.  For selfish reasons, I don't look forward to late night tech support phone calls from Aunt Minnie.  Nor do I like opening up a remote control panel on a machine that I'm trying to protect.

Patching Support

This was the focus of last years post (how to get all of the updates for Grandma's PC together.)  The Offline-Update project (http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml) promises to solve the problem of building your own CD or USB to patch your relatives' machines that have only dial-up connections to the internet.  But what about all of those applications on the system?  Attacks are moving from OS vulnerabilities to leveraging vulnerabilities in applications like audio players and PDF readers.  Secunia offers a program that can inventory and assess the applications installed on the system.  Details of this is available at: https://psi.secunia.com/.

Browser Protection

Many submissions suggested that they move the user from using IE over to Firefox or Opera.  Also, they suggested using McAfee's Siteadvisor (http://www.siteadvisor.com/) and Netcraft's Toolbar (http://toolbar.netcraft.com/.)

Other protection methods


Kevin Liston (kliston at isc dot sans dot org)

Keywords:
0 comment(s)
Diary Archives