Right Remedy-rescue Compromised systems

Attackers intrude into a system, which is always driven by a major purpose. For example, to show off the technology, to obtain confidential enterprise data, and to disrupt normal business processes of the enterprise, sometimes the attacker's attack behavior may change from one purpose to another after intrusion, for example, it was originally a show-off technique, but after entering the system, it found some important confidential data. As a result of the interests, attackers finally stole the confidential data.

However, If attackers intrude into the system for different purposes, the attack methods will be different, and the impact scope and loss will not be the same. Therefore, when dealing with different system intrusion events, the right remedy should be given. Different types of system intrusion should be handled in different ways, so that they can be targeted, achieve the best processing effect.

For past and present system intrusion events, according to the statistical analysis of authoritative organizations, they can be classified into the following three main types based on the main purpose of intrusion:
1. system intrusion for the purpose of show off technology.
2. system intrusion for the purpose of obtaining or damaging confidential data in the system.
3. system intrusion aimed at undermining the normal operation of the system or business.

What will be discussed later in this article is to discuss how to quickly restore systems that have been intruded by these three types of systems, and how to reduce the impact scope and severity of system intrusion. Of course, before starting to recover the system to be infiltrated, we should ensure that the following tasks have been completed as required:

1. The system audit function is enabled.
2. log files generated by the system, firewall, and IDS/IPS have been saved separately.
3. Important applications and data in the system and system already have full backup or corresponding Incremental backup.
4. You have prepared a vulnerability detection tool (such as X-Scan or Nessus), a file integrity detection tool (such as Rootkit Revealer), and a system process (such as IceSword or ProceXP) and third-party software necessary for network connection viewing tools (such as Fport), and ensure that these software can be used at any time.
5. system intrusion events have been discovered, and the authenticity of system intrusion events has been identified in a timely manner, and they are classified based on the severity of the intrusion.

The tasks listed above are not only a prerequisite for timely detection of system intrusions, but also a basic condition for successful recovery of systems under intrusion and reduction of system intrusion losses, we should complete them carefully. In view of the fact that most of China's small and medium-sized enterprises and ordinary users use Windows XP operating systems on their computers, if there is no special description in this article, the systems mentioned refer to Windows XP operating systems.

I. Restoration of system intrusion to show off technical purposes

Some attackers intrude into the system only to show off their superb network technology to their peers or others, or to experiment with a system vulnerability. For such system intrusion events, attackers usually leave some evidence in the system to prove that they have successfully intruded into the system, sometimes the results of his intrusion will be published in a forum on the Internet. For example, the attacker intruded into a WEB server, they will change the homepage information of the WEB site to indicate that they have intruded into the system, or install a backdoor to make the compromised system a zombie, and then sell it publicly or publish it on some forums to declare that you have intruded into a system. That is to say, we can further classify this type of system intrusion into system intrusion for the purpose of controlling the system and system intrusion for the purpose of modifying the service content.

For system intrusion activities for the purpose of modifying service content, the system recovery can be completed without stopping services. We should deal with them in the following ways:

1. Create a complete system snapshot of the intruded system, or save only the snapshots of the modified part for later analysis and evidence.
2. Restore the modified Webpage Through backup immediately.
3. In Windows, check the current network connection status of the system using the network monitoring software or the "netstat-an" command. If an abnormal network connection is found, the connection to it should be closed immediately. Then, by checking the system process, service, and analysis system and service log files, we can check what operations the system attacker has performed in the system for recovery.
4. Analyze System Log Files or use vulnerability detection tools to learn about vulnerabilities exploited by attackers to intrude into the system. If attackers exploit system or network application vulnerabilities to intrude into the system, they should find system or application vulnerability patches to fix them, if no patches are available for these vulnerabilities, we should use other methods to temporarily prevent intrusion activities that reuse these vulnerabilities. If attackers use other methods, such as social engineering, to intrude into the system and check that there are no new vulnerabilities in the system, they do not need to perform this step, it is necessary to understand and train the targets of social engineering attacks.

5. After fixing system or application vulnerabilities, add firewall rules to prevent such incidents from happening again. If IDS/IPS and anti-virus software are installed, you should also upgrade their feature libraries.

6. Finally, use the system or corresponding application detection software to perform a thorough Vulnerability Detection on the system or service. Before the detection, ensure that the feature library is up-to-date. After all the work is completed, special personnel should be assigned to monitor the system in real time within a period of time to ensure that the system will no longer be attacked by such intrusion events.

If attackers attack the system to control the system as a zombie, they will install the corresponding backdoor program in the system in order to be able to control the system for a long time. At the same time, in order to prevent the System user or administrator from discovering it, attackers will do everything they can to hide traces of operations on the system and the backdoor installed by him. Therefore, we can only check the system process, network connection status, and port usage to check whether the system has been controlled by attackers. If the system has become a zombie for attackers, intrusion recovery should be performed in the following ways:

1. analyze the specific time of system intrusion, the scope and severity of the impact, and create a snapshot of the system to save the current damage, for later analysis and retention of evidence.

2. Use Network Connection monitoring software or port monitoring software to check the network connections and port usage that have been established by the system. If illegal network connections are found, they are all disconnected immediately, add a rule to disable the IP address or port in the firewall.

3. Use the Windows Task Manager to check whether any illegal process or service is running and immediately end all illegal processes found. However, some backdoor processes with special processing will not appear in the Windows Task Manager, we can use tools such as Icesword to find these hidden processes, services, and loaded kernel modules, and then end all of them. However, sometimes we cannot terminate the process of some backdoor programs through these methods, so we can only suspend the business and switch to the security mode for operations. If you cannot end the operation of these backdoor processes in security mode, you can only back up business data, restore the system to a safe period of time, and then restore business data. In this way, business interruption events will occur. Therefore, the processing speed should be as fast as possible to reduce the impact and loss caused by business interruption. Sometimes, we should also check whether illegal backdoor services exist in the system service, which can be checked by opening "service" in "Control Panel"-"Management Tools, disable all illegal services.

4. When searching for backdoor processes and services, you should record all the processes and service names found and search for these files in the system registry and system partition, delete all the data related to this logstore. You should also delete all content in the "Start Menu"-"All Programs"-"start" menu.

5. Analyze System logs to find out how attackers intrude into the system and what operations they perform in the system. Then, all the modifications made by the attacker in the system are corrected. If the attacker uses system or application vulnerabilities to intrude into the system, it should find corresponding vulnerability patches to fix the vulnerability. If no patches are available for this vulnerability, you should use other security measures, such as using a firewall to block Network Connections of certain IP addresses, to temporarily prevent intrusion attacks through these vulnerabilities, keep an eye on the latest status of this vulnerability, and immediately modify the vulnerability after the patch is fixed. Patch the system and applications, and we can automate them through the corresponding software.

6. After completing system repair, you should also use the vulnerability detection tool to perform a comprehensive vulnerability detection on the system and applications to ensure that no existing system or application vulnerabilities exist. We also use a manual method to check whether a new user account is added to the system, and whether the system has been attacked to modify the corresponding installation settings, such as modifying the firewall filter rules, IDS/IPS detection sensitivity, enable services and security software disabled by attackers.

After a system intrusion event aimed at show off the technology, we should perform the following operations on the system to ensure security:
1. Modify the name and logon password of the system administrator or other user accounts;
2. Modify the name and logon password of the Administrator and User Account of the database or other applications;
3. check firewall rules;
4. If anti-virus software and IDS/IPS are installed in the system, update their virus database and attack feature database respectively;
5. Reset user permissions;
6. Reset the file access control rules;
7. Reset the database access control rules;
8. Modify the names and logon passwords of all accounts related to network operations in the system.

After completing all the system recovery and repair tasks shown above, we can perform a full backup of the system and service, and save the new full backup separately from the old full backup.

It should be noted that for intrusion activities aimed at controlling the system, attackers will try to hide themselves from being discovered by users. Apart from the log files related to other operations generated by modifying or deleting systems and firewalls, clever hackers also use some software to modify the basic attributes of the created and modified files. These basic attributes include the last access time and modification time of the files, to prevent users from viewing file properties to understand that the system has been intruded. Therefore, RootKit Revealer and other software should be used to check whether the system file is modified.

 

2. system intrusion recovery for the purpose of obtaining or damaging confidential data in the system

Now, what is the most valuable in enterprise IT resources is, of course, the various confidential data that exists in these devices. At present, most of the attackers perform system intrusion for the purpose of obtaining confidential data in the enterprise, so that they can obtain illegal benefits by selling the stolen confidential data.

If the confidential data of an enterprise is directly stored in a folder of a partition in the system as a file, and these folders are not protected by encryption or other security means, attackers can easily obtain the confidential data after they intrude into the system. However, a considerable number of small and medium-sized enterprises are still using this secure file storage method, which provides large convenience for attackers.

However, there are still a huge number