Breached System Recovery
Heuristically, where do you start? Discovering a system breach is a daunting task and may be even scarier if you have near zero experience of how to begin.
This is something that we have of a significant scope of experience, here are a few of our steps to recovery and prevention.
No one wants their data stolen. No one wants their identity stolen. No one wants to discover that their system was breached. With the world experiencing a data breach every second, here is our procedure. They really is no set start point, hence a heuristic full-scope approach.
Why are you going through these stresses? An explanation and another explanation.
-
If you can, disconnect the system from the network. If you cannot, do not reboot.
-
Rsync your data else where, to a remote repository on your local network if possible
-
rsync -a –in-place /this/directory/ /to/this/directory
-
-
Take a bird’s-eye view of running processes
-
ps auxwf
-
unhide other processes
-
-
Take a step back and find out which files were modified on a per-moment basis, hours, days, weeks or months
-
ls -ltr | grep “date | awk ‘{print $2” “$3}'”
-
-
Do your normal check for malware and viruses, realize that they do exist in Windows, Linux and Mac OS.
-
Audit your accounts and modify passwords for all users, identities, and services
-
Audit you are network topologies, enforce secure SSH with identity checks and generate new keys for VPN access
-
Audit the capabilities of your network switches and routers, update the firmware or upgrade the appliance
-
-
Audit your firewall
-
If you are using a web server such as Apache, audit your modules included in the running Apache process
-
If you use a variety of internet email solutions, audit your email solution
-
Multi-factor and zero trust may help however they are not a full solution
-
Security by obscurity is still passé and was meant for hipsters exiting through the kitchen door
-
Audit your entire organization – in the Coronaland / Covid-19 moment and post Coronaland remote / work from home workforce
-
-
By now you should have a failover and failback solutions that have been tested, even for the sake of this testing their process
-
Reliably test solutions regardless of using ZFS, XFS, Ext2-4, or BTRFS. Ceph or another
-
Each file system and operating system for that matter has its own quirks and benefits – learn and use them to your advantage.
-
-
Evaluate what software and solutions you use. Have the realization that even if you use tripwire or another IDS or SIEM, malicious attackers can still plant bad softer on your system without your knowledge.
-
Aronetics is building their own solution that may trump most IDS and SIEMs
-
If you use, TrustWave, LogRhythm, Splunk, TripWire, please reach out to us. We would appreciate the opportunity to learn about why you use these software solutions and to mitigate current pain points.
-