Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Forensics Follies

Or, where not to run when your hair's on fire - not the barn, not the house, not the data center

9:00 AM -- Forensics is not for everyone.

I know, I know... "But I've been hacked, and I want to know who did it." It brings up visions of riding off into the sunset, capturing cattle rustlers, and putting the bad guy in leg irons. It's sexy, and it's fun. It's also costly, and in some cases it can be dangerous.

First, you have to treat a penetration just like you'd treat any business expense. Where is the ROI? What exactly do you gain by capturing a bad guy? You may be able to catch them before they sell your trade secrets, or use the stolen credit cards, but unless you are lightning quick, it's a safe bet they've moved all your sensitive information onto public hosts and/or already sold it to the highest bidder.

Even if you do catch them, have you stopped anyone from doing the same? Doubtful, the holes are still in place. You have spent all this time and energy and the next guy to come along can do the same thing. Forensics does not equal risk mitigation.

What are the costs? Depending on what you are doing and how bad the penetration is, it could be as cheap as a few thousand dollars -- if it's a sloppy employee who hacked into you. If it's overseas and requires experts with extradition law, expect to spend tens or even hundreds of thousands of dollars.

The ROI in almost all cases I am aware of is non-existent. Furthermore, it's dangerous.

Recently I encountered a company that had been badly compromised for over six months. They attempted to fix the issues themselves. They performed their own forensics, downloaded tools, and attempted to deal with the problems themselves.

Unfortunately, they never actually cleaned the system. In fact, once they logged in as an administrator, they ended up stumbling across and running the command the hackers had left for them. Can you say privilege escalation? Don't use a programmer to assess a security event -- they wrote the code that was exploitable in the first place and shouldn't be touching administrator accounts.

Further, once the staff realized they hadn't fixed the problem, they attempted forensics against the host. Over a period of six months of battling with the hackers, each and every time they ran their forensics tools on the host, they re-infected the machine with the hacker's backdoor, unwittingly extending the compromised period. They would have been better off copying the key files to a clean host and starting over.

In the end, the ROI was just not worth it. It's best to treat a hack event like a fire. Stop, drop, and roll. Once you've done that, hopefully you'll have come to your senses enough to know you need to hire a professional.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...