What do Aurora and Shady Rat have in common? They are both so called operations that describe system breaches in high profile companies and government agencies. These and countless other events pointedly demonstrate that few systems are unassailable and that effective system administrators must be able to detect a break-in and mitigate the threat to their customers and users. Like it or not, this is the cost of providing a public computing service and it is irresponsible to not be prepared.
There are a few things to consider:
- There have been no fundamental changes in computer systems in the last 40 years. In fact this is the entire lifetime of the Internet and many operating systems.
- Persistent storage is necessary to preserve information from one power-up to another. It also provides an opportunity for correlation between system artifacts or clues [where things are supposed to be?].
- Applications, even malware, need resources such as memory, CPU, and disk. In most cases they will leave footprints or some record of their passage.
- Who is allowed on? And to what do they have access?
- The system and many applications write snapshots or checkpoints for particular activities. This allows administrators to determine what has happened on the system. Or by observing certain events, recreate an incident or signal the advent of another.
I will be covering these in more depth during my Stop the Breach before It Happens: Easy, Smart, and Powerful Security Management Solutions webcast this Thursday, bought to you by Information Week and Dark Reading. I’ll summarize an intrusion and describe some of the forensic analysis used to detect it. Based on this experience, we discover how the same investigative skills can be leveraged to proactively manage a service going forward. I look forward to seeing you there.
Posted
Oct 18 2011, 02:00 PM
by
Garve Hays