Posts Tagged ‘IPS’

So You Have a Compromised Asset

Wednesday, September 17th, 2008

You have a compromised asset. Following are things you should know, and things you should do.

Things you should know:

  • Your AV, IPS, IDS, etc. has failed.
  • The compromised asset cannot be trusted. I mean this! Nothing about this asset can be trusted. You can’t trust loading software on the asset to remediate, and you can’t trust the user’s data on the asset. This asset should be dead to you!
  • Bad things can happen to good users, but usually there are certain “habits” that lead to compromised assets.
  • There is no “Silver Bullet” for automatically remediating a compromised asset. Otherwise, companies like Damballa would not be in business.

Things you should do:

  • Remove the compromised asset from the network immediately.
  • Provide your user with a replacement asset. This replacement asset should be from your clean spares or your new hire system pool.
  • Load user data from a backup taken before the point in time of the asset compromise. AGAIN, I mean this! Any user data from the compromised asset cannot be trusted.
  • Optional: Relocate the compromised asset to a segregated lab environment to do forensics. Note: Consider the cost. You have an asset that is worth $500.00 – $3,000.00. Forensics can cost a lot more than the worth of that asset.
  • Relocate the compromised asset back to your build-out area. Low-level format all the local drives on the system.
  • Reimage the system. Place the now-remediated asset back into your clean spares pool or new hire system pool.
  • Mark the asset as remediated.
  • Schedule time with the asset owner to discuss the compromise and potential usage behavior that may have led to the compromise. This information is likely to benefit both parties.

“But wait” you say, “Isn’t there a better way?” Consider this. If you take the time to have regular point-in-time backups, a pool of clean reimaged systems, a set of clean systems images to reimage from, and follow the procedures outlined above (minus the optional one), you should be able to remediate a compromised host in an a few hours that can then be streamlined into a parallel process that will allow multiple remediations at the same time. Doing anything else is a crapshoot that costs both time and money without the guarantee of success.

- Jeff McGough, Damballa VP of Operations

Tags: , , , , , ,
Posted in Threat Research | No Comments »