Computer Incident Response
Protecting Networks From A Systems Breach
It may begin with something as simple as clicking on a link in a email from a colleague,
or opening a PDF file sent by a sales company. But that’s all it takes to start the chain of events that leads to a complete network compromise. Very often, the target won’t know they’ve been compromised.
In more than 85% of the cases we deal with, victim organisations are informed of the breach by a third party – it may be the bank to say that credit cards used on your web site are being used fraudulently, or that clients and suppliers all complain that they are being spammed with email originating from your servers. You may even suddenly stop being able to send or receive email because your company has been put on an international blacklist.
Once you determine that your network has been compromised or is currently under attack, you need to seek assistance. Very few organisations have the technical skills in-house to deal with sophisticated multi-tier attacks, and often the well intentioned but clumsy responses by server teams under pressure to resolve the issue will simply tip off the attacker and drive them deeper into the network.
Of course it’s important to act fast, but you need to draw on specialist skills which the average admins doesn’t have. We respond to these types of attacks every week and are well versed in attackers methodologies and know where to look to find the tell-tale evidence of their actions.
A medical research laboratory was alerted by anti-virus software to the presence of a Trojan horse program (malware) on one of its internet facing web servers. First Response was instructed to examine the system to determine if any user data had been lost. Analysis of the server log files showed the server had been under attack for the best part of a year, and had been first compromised a few months after that.
The malware that had triggered the detection was very old, six other instances of more recent malware were present, but were not detected by the AV software (this is common). Analysis of the log files showed clear evidence of attempts at SQL injection attacks, but due to the unskilled nature of those attacks, they were unsuccessful.
Our analysis showed that the user login database of the server had been ex-filtrated to an IP address in Romania. A subsequent audit of the user database revealed seven different administrator level logins which were unknown. The attackers had gained access to all of the data present on the server and had copied all of it – several times over a period of months.
This compromise lead to the loss of valuable research data, a requirement to report the loss of the user database to the Information Commissioners Office and the reputational loss resulting from informing the user population that their accounts had been compromised and that a password reset was required. Each user who logged in was submitting sensitive personal data relating to medical conditions as part of the research being carried out by the lab.
After this compromise, the client completely re-built this and several other servers, instigated a Forensic Readiness Planning process with us and put in place a series of new policies and procedures to ensure the integrity of their server infrastructure is maintained.
Whilst this case study may seem quite bad (it is!) it is also very common and reflects the average type of incident that we respond to, week after week.