First Step


SUBMITTED BY: Guest

DATE: Oct. 26, 2013, 6:56 a.m.

FORMAT: Text only

SIZE: 2.5 kB

HITS: 1291

  1. Before you begin, let us give you one piece of advice. DON'T PANIC!
  2. You are not the first person this has happened to, and you certainly won't be the last!
  3. The first step in recovering any system from a compromise is to physically remove any network
  4. cables. The reason for this is that if a system is under external control, an attacker could be
  5. monitoring what is happening on a machine and if they are aware of your actions could take drastic
  6. action to conceal their actions, such as formatting a drive.
  7. However, it should be noted, that if the network cable is unplugged you may lose information about
  8. the attacker, you will not see active network connections. This of course is important if you wish to
  9. trace the miscreants, however your site security contacts may have policies forcing a disconnection
  10. after a break-in, and if your local CERT requests you remove the machine from the network you should
  11. of course fully comply with their requests. Your local CERT team may also require you to report any
  12. system break-in to them, for compliance purposes as well. Your local security policies should contain
  13. information about any actions you need to take.
  14. Next, you should take a notebook (a paper one, not electronic) as this will be used to take notes in.
  15. Write down any important details about the system, starting with the time and date, the IP address
  16. and name of the machine, the timezone that the machine's clock is set to, whether the clock was
  17. accurate, patches that were installed on it, user accounts, how the problem was found, etc. If
  18. anything during the course of your investigation seems pertinent, jot it down.
  19. It will be a handy reference for the future.
  20. It may be difficult to regain control of a seriously compromised Windows system which has so many
  21. resource consuming programs running at start-up but simply restarting up in safe-mode will stop a
  22. large number of Run key based malware loading at boot up, giving some control back to the user for
  23. clean-up tasks.
  24. One final point, your local security contact or CERT team will almost certainly be interested in your
  25. findings. Very often an attacker will automate an attack, and will almost certainly be targeting other
  26. machines in your network. Providing details to your security contacts will enable them to disseminate
  27. your findings to other people who may be in a similar situation. And of course your findings may turn
  28. up in here!

comments powered by Disqus