HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 11 guests and 5 members online
EH-Net Donations

Enter Amount:
$
Google Ads
ChicagoCon 2008f
chicagocon2008f_125x200banner.jpg
ChicagoCon 2008f
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Columnsarrow RichMarrow [Article]-The 6 Steps of Incident Handling in Action
Ethical Hacker Community Forums
September 05, 2008, 01:10:04 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Registration Now Open for ChicagoCon 2008f Oct 27 - Nov 2! Visit www.chicagocon.com.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: [Article]-The 6 Steps of Incident Handling in Action  (Read 5664 times)
0 Members and 1 Guest are viewing this topic.
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 2238


Editor-In-Chief


View Profile WWW
« on: May 03, 2007, 12:44:22 AM »
As RichM reaches out to the community, so should you reach out to RichM. This column lives and breathes with feedback from all of you. Let him know what you think of his column as well as what you'd like for him to cover. He's an admin just like most of you. If you feel he is forgetting something important in his new job, let him know.

Permanent Link: [Article]-The 6 Steps of Incident Handling in Action

Quote

Incident handling is a specialized field which is done best after proper training, guidance and experience.  However, if you follow the six core steps to incident handling, you will have a better chance of recovering favorably from an unforeseen incident.  The example below is an actual incident I experienced recently.  I have outlined the steps taken as they pertain to the six steps of Incident Handling.

I offer up this outline not as an example of the perfect Incident Handling Process but rather as a good faith gesture to the community. There is a Latin Proverb that states, "A wise man learns by the mistakes of others, a fool by his own." I believe a wise man also learns from the experiences of others. Hopefully this month's column puts both of us on a path towards wisdom.

Looking forward to your opinions,
Don
Logged
CISSP, MCSE, CEH, Security+ SME
oleDB
Full Member
***
Offline Offline

Posts: 218



View Profile WWW
« Reply #1 on: May 03, 2007, 01:14:32 PM »
You mentioned what exploit was used(RealVNC), but what specifically was wkkvhrji.exe? Was that a trojan copied to the machine? Did any AV detect that as something?

Just from experience, Stinger is typically worthless for anything new. Its very good at detecting stuff 3 or 4 months and older. A strategy I tend to use for malware not detected by our AV, is to submit it to virustotal. If at least one AV vendor detects it, then typically you can read their notes on it or run their online scanner. NormanSandbox and Anubis are also very useful in profiling the malware if you don't have your own sandbox. They often tell you exactly where in the registry changes were made and what type of network traffic the malware generates. Usually if one machine has it, someone else on your network does to. In regards to rootkit detectors, over the last year I've become increasingly frustrated with all the popular ones. Rootkit authors are building effective defenses to them. You might get lucky with some of the tools so its worth your time to try several of them, but for the most part you end up having to use a kernel debugger or verifying the md5 hashes with your own image set or with a tool like Rutkowsla's SVV. RK's are getting so stealthy and so difficult to remove, that you basically have to gamble on waiting for a proper DAT to remove it. If you can't clean it, its sometimes more viable to just nuke and pave the machine.
Logged
RichM
EH-Net Columnist
Newbie
*****
Offline Offline

Posts: 49


View Profile
« Reply #2 on: May 13, 2007, 07:28:23 PM »
Don, (and the EH community)

You are absolutely correct, I am always open to feedback and any ideas that can help shape my column.  I really enjoy doing my articles, and am very thankful to you and the EH community for your continued support.  Please feel free to let me know of any ideas or issues you would like to see addressed, in future columns.  As Don has already stated, I am an admin and I may have missed crucial topics which would benefit all of us.

oleDB,

I didn't use the actual name of the exploit, (just in case the attacker reads our site) but as far as I could tell, it was some type of trojan, possibly a key logger.  My best guess is that the attacker was attempting to use the machine as a jumping off point, but never quite figured out what to do; once he/she had access. The scanner(s) didn't detect anything which forced me to use google and figure out what exactly was taking place.

It is good to know that Stinger is worthless, I always use it as secondary scanner, maybe its time I move to something else like housecall, http://housecall.trendmicro.com/ I guess since it's freeware,  we can't really expect top notch performance; and like you said they should catch a piece of malware that has been around 3-4 mos.  Lets face it, most patches are issued and not applied for months on end, then attackers take advantage of the pre-existing flaw.

I have started to get into sandboxing, and like the idea of running a process in an area that keeps a process from causing havoc on a machine.  I will need to look into these two products, ( NormanSandbox and Anubis) since I am only familiar with Sandboxie, http://www.sandboxie.com/ which honestly I am less than thrilled with.

I know blowing away the machine is the safest way, but it is also time consuming and a huge pain.  I (and everyone else) am hoping for an anti-rookit that updates like anti-virus and stays one step ahead of malware programmers.

Thank you for giving me more apps to look into, and helping me to refine my approach to an incident.  It is vital to stay on the cutting edge of the best tools which help to combat attackers tactics.
« Last Edit: May 20, 2007, 11:42:33 AM by RichM » Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.5 | SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.038 seconds with 23 queries.
 
Polls
Best for daily desktop use:
 
Support EH-Net
chicagocon2008f_125x200banner.jpg
ChicagoCon 2008f

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

Sadikhov.com
Top IT Cert Sites

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

chicagocon2008f_125x200banner.jpg
ChicagoCon 2008f
 
         
Advertisement

© 2008 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.