Network Forensics

profilebendy1025
cmit_460_lab_5.docx

William Stevenson

September 25, 2020

Lab 5

CMIT 460-6380

Professor Bill Wary

Executive Summary

On December 16, 2013 at approximately 0929 hours, a malicious actor identified as IP 10.10.5.199 began attempting port scanning on an organizational asset at IP 10.10.5.69. The port scan found vulnerable ports and was able to take malicious actions on the asset. These actions included accessing and utilizing the Metasploit framework on the asset, numerous SQL injection attacks utilizing admin credentials on the asset, the passing of several executable files that are likely to contain malware, and the establishment and utilization of a Netcat session on the asset from the malicious actor to execute one such executable.

Containment

The first step should be to isolate the affected asset physically or logically on the organizational network. Without fully understanding how these malicious executables may have affected other machines on the network, it would not be wise to unplug (power off) the asset before determining if there exists a better course of action. Assuming a honeypot does not already exist on this network, dumping the asset into a black hole VLAN can suffice, although the attacker is likely to recognize this and potentially start covering his or her tracks.

If the organization has an interest in possible prosecution of the malicious actor, then proper evidence preservation techniques need to be followed. This would involve disconnecting the attacker and obtaining a forensic image of the affected asset for analysis. Otherwise, to prevent further harm to the asset, it would be advisable to fully disconnect the asset to ensure the attacker no longer is able to access it. This prevents the attacker from causing further harm and/or covering his or her tracks any further.

After the asset is isolated and prevented from causing further harm on the network, the organization needs to put resources into tracing any and all potentially malicious traffic from the asset to other assets on the network as a result of the malicious executables. If such traffic is found to exist, these same containment strategies should be applied to all affected assets unless the scope of damage is clearly and unambiguously understood to not necessitate this.

Eradication

Given the unknown extent of the damage that the malicious executables could have caused to the asset, a full reimage is the safest bet for full eradication of the effects of the attack. If there is interest in a forensic investigation, no action should be taken until the investigation is complete and any litigation is finished. If there is no interest in litigation, but the organization would like to study the methodology and effects of the attack for their own edification, then it is vital that any and all studying be performed off the network, as the effects of the attack are unknown at this time. The attacker could have installed a backdoor, trojan, or rootkit type of malware that would not be detectable by any commercial or enterprise antivirus software, meaning a reimage is the safest and easiest route to take.

Recovery

If the asset is considered mission-critical and/or a backup exists, the backup should be brought online immediately to restore business operations. This would be defined in the business continuity plan for the organization. For restoring the affected asset, a full reimage should be performed to the last known good image. If a known good image does not exist or is unobtainable, restoring to factory default settings will achieve the desired effect for the eradication step, but will require significantly more work to restore the asset to mission capability. During this process, the asset should be verified to have all available patches installed and all relevant security configurations applied as appropriate before being brought back online. The asset should remain isolated from the organizational network until it is confirmed to be fully operational and secure, to include verifying that the vulnerable ports that were exploited are no longer available as an avenue of attack.

In this specific instance, firewall configurations should be checked to ensure that this was not a failure of a border firewall or global ACL configuration that may leave other assets vulnerable. Final remediation steps would include adding the malicious IP to the block list and reevaluating the organizational security policy that allowed this breach to occur. Consideration should be given to firewall configuration and implementation as well as the addition or modification of an intrusion prevention architecture, either host-based or at the network border. A cost-benefit analysis of this breach could prove invaluable as a real-world example for determining the efficacy of these devices for this specific organization.