Holiday/Family Incident Response Why and How
Apologies in advance that this is Windows-centric.
Many of us are going to visiting with friends and family over the next couple of months while celebrating a number of year-end holidays. Often, we are tapped for on-site tech-support duty in exchange for holiday treats.
Yesterday George posted a request for what's in your holiday/family incident response toolkit. Overnight I collected the response in the hopes to present a useful and organized list.
Incident response under these conditions can be way harder than what one encounters at their day-job. The builds are non-standard, there are rarely backups to rely on, the data are irreplaceable (personal financial data, photographs, genealogical project, etc.) The stakes are often higher.
The response methodology is similar to what you'd run into at work:
Hopefully that was done last year when you put on AV, firewalls, and anti-spyware. This year, the root-kit detection tools are more widely available so it's a good time to update your jump-kit and your framework
The first step is an interview with the machine user. You should ask things like:
Follow the interview with an inspection to verify that the AV is present, running, and up-to-date. Ensure that the OS is fully patched. Peek at the hosts file. See if there is reason to suspect that the machine is compromised before you start tearing into it.
Should you determine that the machine has been compromised, it is time to start backing up the important files off of the machine. The only sure approach to cleaning a system is to rebuild it. There were many spyware/virus cleaning tools submitted, but I consider them useful only in the Identification phase to determine if the machine has been compromised. I personally do not recommend them for reliable system cleanup.
If the system was properly secured last time, and no ill has come of it, then congratulations. But your work is not over. This final stage is the most important stage in incident response. Go over what you found in your investigation, point it out, and provide a solution. No Anti-virus? Put one on. No backups? Make one. Firewall not enabled? Enable it. This is the point where you provide additional instructions, set-up an ongoing tech-support option (if you're brave/generous enough,) and suggest alternatives (say, move them from IE7 to Opera or Firefox-- which have their own issues so you have to carefully consider the consequences of that.)
I broke the tools down into the following categories:
CD vs. USB
How should you transport your tools to the site? There are a lot of good arguments supporting the use of burned CDs and USB drives.
Of course one can simply run from the CD or USB on the live system. In some cases this is the best first step, especially if you suspect something like a botnet running on the system. Live incident response can quickly identify that the machine is compromised and provide you with the code that's causing the traffic right away (see below for the System Analysis tools one can use in these cases.)
Others prefer to work from a boot-disk when analyzing a system, particularly when a root-kit is suspected. These came in two varieties, Windows-based and Linux-based.
In the windows-based options, people recommended:
For Linux-based options try:
These tools can be used for an initial assessment of the system. One (or more) of these should be left installed on the system when you leave. There are plenty of great commercial solutions. I'm only listing free solutions today:
Like anti-virus tools, these play a role in initial assessment of the system, and should be installed on the system when you leave it for added protection.
We did not have a lot of these tools last year. They may turn up things that aren't showing up in your other scans.
The guys over at RaDaJo (RAul, DAvid and JOrge) Security Blog have an article inspired by George's post featuring Anti-Rootkit tools: http://radajo.blogspot.com/2007/11/anti-rootkit-windows-tools-searching.html.
Burning a copy of irreplaceable photos and other documents to CD/DVD is time well spent, regardless if the system is compromised and needs to be reinstalled or not. They will likely not regret the time put into this important defense measure. Reader Robert suggests that you can avoid a lot of drag and drop effort by using Areca (http://areca.sourceforge.net/.)
There are a tremendous amount of little programs that can give you an eye into what is going on in the system. These are used during the live response stage of your Holiday/Family incident response. Hijackthis was the overwhelming favorite, followed by huge support of the Sysinternals tools.
Use of these tools can occupy a lot of your time and require a fair amount of experience. Russ has offered a helpful write up for a Rapid Malware Response/Analysis process (http://holisticinfosec.org/publications/MalcodeAnalysisTechniquesForIH_McRee.pdf.)
These tools were offered up to take a closer look at the malware that has been found on the system. Using these requires a larger investment of time than many people have while visiting. But for future use, these tools might be handy to have on your own incident response toolkit.
It is sometimes easier to determine if a system is compromised by looking at the network traffic leaving the system. Especially if you're familiar with protocol analysis. Commonly suggested tools were:
A few tools were submitted that promise to clean up the registry and other system files to improve system performance.
Some brave and generous people offer remote tech support to their families. They have recommended:
It is not something that I would recommend or personally do. For selfish reasons, I don't look forward to late night tech support phone calls from Aunt Minnie. Nor do I like opening up a remote control panel on a machine that I'm trying to protect.
This was the focus of last years post (how to get all of the updates for Grandma's PC together.) The Offline-Update project (http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml) promises to solve the problem of building your own CD or USB to patch your relatives' machines that have only dial-up connections to the internet. But what about all of those applications on the system? Attacks are moving from OS vulnerabilities to leveraging vulnerabilities in applications like audio players and PDF readers. Secunia offers a program that can inventory and assess the applications installed on the system. Details of this is available at: https://psi.secunia.com/.
Many submissions suggested that they move the user from using IE over to Firefox or Opera. Also, they suggested using McAfee's Siteadvisor (http://www.siteadvisor.com/) and Netcraft's Toolbar (http://toolbar.netcraft.com/.)
Other protection methods
Kevin Liston (kliston at isc dot sans dot org)
Nov 21st 2007
1 decade ago