One of my favorite scenes from War Games is when David Lightman visits the two computer experts Jim and Malvin. They are discussing how David could break into the computer system he thinks belongs to a game company. Jim and Malvin tell David that this system looks like it belongs to the government and there is no way he’s getting in there. But David says, “I don’t believe that any system is totally secure.” Turns out, David was right. He discovered and took advantage of a backdoor in NORAD’s system and was able to play Global Thermonuclear War.
LESSON 3: No system is totally secure. You will be hacked. Focus on detection as much as prevention.
Now that might sound depressing. But adopting that mental attitude can be very freeing. Instead of focusing solely on prevention (a losing game), you can explore other ways to secure your environment. Prevention only takes you so far. I’m not saying we abandon prevention. It is necessary to do all of the basics to prevent attackers from gaining a foothold in your environment (firewall, AV, web filter, spam filter, etc.). But how can you find them once they hack you? There are a couple of things I’ve found helpful.
First, use the tools you have. For example, many endpoint security programs can be used to log activity, not just block. Creating rules that log unusual activity can help during an investigation and give hints as to the attacker’s activity. What about a rule that would log all writes and executes from the TEMP directory? What about a rule that would log any file executed from the Recycle Bin in Windows (yes, you can run files from the root of the Recycle Bin)? AV is easy to bypass (see Rageweb). But maybe it can provide a trail that will help you detect and the remove malware when you get hacked.
Second, detect change. This is a big topic for two of my SANS instructors, John Strand and David Hoelzer. Particularly within your server environment, very little should change. Monitor the local security groups on your servers. Additions to their local security groups should be few and far between. I’ve also used NMAP and NDIFF to compare weekly NMAP scans. If a new service pops up, it needs to be investigated. I’ve also used Netscan to perform regular scans of all network shares. I compare the current scan to the previous scan to determine if there are any new shares or if the permissions changed. With a little scripting and a few scheduled tasks or cron jobs, these tasks can be automated and the files can be emailed to you.
Monitoring inbound connections can also be very beneficial. If you regularly monitor inbound IPs to your web servers, you will get to know what “normal” looks like and can spot unusual activity. For example, let’s say you primarily do business with South America. That is where most of your inbound connections originate from. One day you notice a bunch of traffic coming from eastern European counties. Are you being attacked? Or are you already compromised? Either way, you now have something to investigate.
The point is, everyone gets hacked. No one is too small or too big. So assume that you are or will be attacked and find ways to detect the attackers as soon as possible.