Forensics Follies

Or, where not to run when your hair's on fire - not the barn, not the house, not the data center

9:00 AM -- Forensics is not for everyone.

I know, I know... "But I've been hacked, and I want to know who did it." It brings up visions of riding off into the sunset, capturing cattle rustlers, and putting the bad guy in leg irons. It's sexy, and it's fun. It's also costly, and in some cases it can be dangerous.

First, you have to treat a penetration just like you'd treat any business expense. Where is the ROI? What exactly do you gain by capturing a bad guy? You may be able to catch them before they sell your trade secrets, or use the stolen credit cards, but unless you are lightning quick, it's a safe bet they've moved all your sensitive information onto public hosts and/or already sold it to the highest bidder.

Even if you do catch them, have you stopped anyone from doing the same? Doubtful, the holes are still in place. You have spent all this time and energy and the next guy to come along can do the same thing. Forensics does not equal risk mitigation.

What are the costs? Depending on what you are doing and how bad the penetration is, it could be as cheap as a few thousand dollars -- if it's a sloppy employee who hacked into you. If it's overseas and requires experts with extradition law, expect to spend tens or even hundreds of thousands of dollars.

The ROI in almost all cases I am aware of is non-existent. Furthermore, it's dangerous.

Recently I encountered a company that had been badly compromised for over six months. They attempted to fix the issues themselves. They performed their own forensics, downloaded tools, and attempted to deal with the problems themselves.

Unfortunately, they never actually cleaned the system. In fact, once they logged in as an administrator, they ended up stumbling across and running the command the hackers had left for them. Can you say privilege escalation? Don't use a programmer to assess a security event -- they wrote the code that was exploitable in the first place and shouldn't be touching administrator accounts.

Further, once the staff realized they hadn't fixed the problem, they attempted forensics against the host. Over a period of six months of battling with the hackers, each and every time they ran their forensics tools on the host, they re-infected the machine with the hacker's backdoor, unwittingly extending the compromised period. They would have been better off copying the key files to a clean host and starting over.

In the end, the ROI was just not worth it. It's best to treat a hack event like a fire. Stop, drop, and roll. Once you've done that, hopefully you'll have come to your senses enough to know you need to hire a professional.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F* Special to Dark Reading.