How to respond to a 'professional' hacker

I think the little absence has been worth it 🙂 These days I am more excited than ever to start new projects and I suppose that soon I will give you new news about my progress in Gentoo 🙂 But that is not today's topic.

Forensic Computing

Some time ago I bought a Forensic Computing course, I find it super interesting to know the required procedures, measures and countermeasures created to be able to deal with digital crimes these days. Countries with well-defined laws in this regard have become benchmarks on the subject and many of these processes should be applied globally to ensure proper information management.

Lack of procedures

Given the complexity of the attacks these days, it is important to consider what consequences the lack of security supervision of our equipment can bring. This applies to both large corporations and small or medium-sized companies, even on a personal level. Especially small or medium-sized companies where No. there defined procedures for handling / storage / transportation of critical information.

The 'hacker' is not stupid

Another especially tempting motive for a hacker is small amounts, but why? Let's imagine this scenario for a second: If I manage to 'hack' a bank account, what amount is more striking: a withdrawal of 10 thousand (your currency) or one of 10? Obviously if I am checking my account and out of nowhere a withdrawal / shipment / payment of 10 thousand (your currency) appears, the alarms appear, but if it has been one of 10, it may disappear among hundreds of small payments made. Following this logic, one can replicate the 'hack' in about 100 accounts with a little patience, and with this we have the same effect of the 10, without the alarms that could sound for that.

Business problems

Now, suppose that this account is that of our company, between payments to workers, materials, rent, these payments can be lost in a simple way, they can even take a long time to occur without realizing precisely where or how the money is going. But this is not the only problem, suppose that a 'hacker' has entered our server, and now he not only has access to the accounts connected to it, but to each file (public or private), to each existing connection, control over the time that the applications run or the information that flows through them. It's a pretty dangerous world when we stop to think about it.

What preventive measures are there?

Well, this is a pretty long topic, and actually the most important thing is always prevent any possibility, since it is much better to avoid the problem before it happens to have to pay the consequences of the lack of prevention. And it is that many companies believe that security is a subject of 3 or 4 audits year. This is not only unreal, but it is even more dangerous to do nothing, since there is a false sense of 'security'.

They already 'hacked' me, now what?

Well, if you just suffered a successful attack On the part of a hacker, independent or contracted, it is necessary to know a minimum protocol of actions. These are completely minimal, but they will allow you to respond in an exponentially more effective way if done correctly.

Types of evidence

The first step is to know the affected computers, and treat them as such, the digital evidence it goes from the servers to the printers arranged within the network. A real 'hacker' can pivot through your networks using vulnerable printers, yes, you read that right. This is because such firmware is very rarely updated, so you may have vulnerable equipment without even noticing it for years.

As such, it is necessary in the face of an attack to take into account that more artifacts of the compromised can be important evidence.

First reply

I can't find a correct translation to the term, but the first responder he is basically the first person to come into contact with the teams. Many times this person it will not be someone specialized and it can be a systems administrator, an engineer manager, even a gerente who is on the scene at the moment and has no one else to respond to the emergency. Because of this, it is necessary to note that neither of them is the one, but you must know how to proceed.

There are 2 states that a team can be in after a successful attack, and now it only remains to emphasize that a successful attack, usually occurs after muchos unsuccessful attacks. So if they have already stolen your information, it is because there is no defense and response protocol. Do you remember about preventing? Now is where that part makes the most sense and weight. But hey, I'm not going to scrub that too much. Let's keep going.

A team can be in two states after an attack, Conected to internet Without connection. This is very simple but vital, if a computer is connected to the internet it is PREVAILING disconnect it IMMEDIATELY. How do I disconnect it? You need to find the first internet access router and remove the network cable, don't turn it off.

If the team was WITHOUT CONNECTION, we are facing an attacker who has compromised physically the facilities, in this case the entire local network is compromised and it is necessary seal internet outlets without modifying any equipment.

Inspect the equipment

This is simple, NEVER, EVER, UNDER ANY CIRCUMSTANCES, The First Responder must inspect the affected equipment (s). The only case in which this can be omitted (it almost never happens) is that the First Responder is a person with specialized training to react at those times. But to give you an idea of ​​what can happen in these cases.

Under Linux environments

Suppose our attacker he has made a small and insignificant change to the permissions he got in his attack. Changed command ls located in /bin/ls by the following script:

#!/bin/bash
rm -rf /

Now if inadvertently we execute a simple ls on the affected computer, it will begin a self-destruction of all kinds of evidence, cleaning every possible trace of the equipment and destroying every possibility of finding a culprit.

Under Windows environments

Because the logic follows the same steps, changing file names in system32 or the same computer records can make a system unusable, causing the information to be corrupted or lost, only the most harmful damage possible remains for the attacker's creativity.

Don't play hero

This simple rule can avoid many problems, and even open the possibility of a serious and real investigation on the matter. There is no way to start investigating a network or system if all possible traces have been erased, but obviously these traces have to be left behind. premeditated, this means that we have to have protocols of fullfilment of security requirementssupport. But if the point is reached where we have to face an attack part, necessary DO NOT PLAY HERO, since a single wrong move can cause the complete destruction of all kinds of evidence. Excuse me for repeating it so much, but how could I not if this single factor can make a difference in many cases?

Final Thoughts

I hope this little text helps you to have a better notion of what it is defend their things 🙂 The course is very interesting and I learn a lot about this and many other topics, but I am already writing a lot so we are going to leave it for today 😛 Soon I will bring you new news about my latest activities. Cheers,


15 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Cra said

    What I consider of vital importance after an attack, rather than starting to execute commands is not to restart or turn off the computer, because unless it is a ransomware all current infections save data in the RAM memory,

    And changing the ls command in GNU / Linux to "rm -rf /" would not complicate anything because anyone with minimal knowledge can recover data from an erased disk, I'd better change it to "shred -f / dev / sdX" which is a bit more professional and does not require confirmation like the rm command applied to root

    1.    ChrisADR said

      Hi Kra 🙂 thank you very much for the comment, and very true, many attacks are designed to keep data in RAM while it is still running. That is why a very important aspect is to leave the equipment in the same state as in which it was found, either on or off.

      As for the other, well I would not trust that much 😛 especially if the one who notices is a manager, or even some member of IT who is in mixed environments (Windows and Linux) and the "manager" of The linux servers are not found, once I saw how a whole office was paralyzed because nobody but the "expert" knew how to start the Debian server proxy ... 3 hours lost due to a service start 🙂

      So I was hoping to leave an example simple enough for anyone to understand, but according to you, there are many more sophisticated things that can be done to annoy the attacked 😛

      regards

      1.    Chichero said

        What if it restarted with something other than ransomware?

        1.    ChrisADR said

          Well, much of the evidence is lost chichero, in these cases, as we have commented, a large part of the commands or 'viruses' remain in RAM while the computer is turned on, at the time of restarting all that information that may become vital. Another element that is lost is the circular logs, both of the kernel and of systemd, containing information that can explain how the attacker made his move on the computer. There may be routines that eliminate temporary spaces such as / tmp, and if a malicious file was located there, it will be impossible to recover it. In short, a thousand and one options to contemplate, so it is simply best not to move anything unless you know exactly what to do. Greetings and thanks for sharing 🙂

    2.    Gonzalo said

      If someone can have as much access on a linux system as to change a command for a script, in a location that requires root privileges, rather than action, the worrying thing is that paths were left open for a person to do that .

      1.    ChrisADR said

        Hello Gonzalo, this is also very true, but I leave you a link about it,
        [1] https://www.owasp.org/index.php/Top_10_2017-Top_10

        As you can see, the top rankings include injection vulnerabilities, weak control accesses, and most important of all, BAD CONFIGURATIONS.

        Now from this it follows the following, which is "normal" these days, many people do not configure their programs well, many leave permissions by default (root) on them, and once found, it is quite easy to exploit things that "supposedly" they have already been "avoided." 🙂

        Well, nowadays very few people care about the system itself when applications give you access to the database (indirectly) or access to the system (even non-root) since you can always find the way to elevate privileges once minimal access is achieved.

        Greetings and thanks for sharing 🙂

  2.   Javilondo. said

    Very interesting ChrisADR, by the way: What is that security course you bought and where can you buy it?

    1.    ChrisADR said

      Hello Javilondo,

      I bought an offer on Stackskills [1], several courses came in a promotion package when I bought it a few months ago, among them the one I am doing now is one from cybertraining365 🙂 Very interesting all actually. Cheers

      [1] https://stackskills.com

  3.   Guillermo Fernandez said

    Greetings, I have followed you for a while and I congratulate you for the blog. With respect, I think the title of this article is not correct. Hackers are not the ones who damage systems, it seems essential to stop associating the word hacker with cyber-criminal or someone who harms. Hackers are the opposite. Just an opinion. Greetings and thanks. Guillermo from Uruguay.

    1.    ChrisADR said

      Hello Guillermo 🙂

      Thank you very much for your comment, and for the congratulations. Well, I share your opinion about it, and what's more, I think I'm going to try to write an article on this topic, since as you mentioned, a hacker doesn't necessarily have to be a criminal, but be careful with the NECESSARY, I think this is a topic for an entire article 🙂 I put the title like this because although many people here read already having previous knowledge of the subject, there is a good part that does not have it, and perhaps they better associate the term hacker with that (although it should not be like that) but soon we will make the subject a little clearer 🙂

      Greetings and thanks for sharing

      1.    Guillermo Fernandez said

        Thank you very much for your answer. A hug and keep it up. William.

  4.   aspros said

    A hacker is not a criminal, on the contrary they are people who tell you that your systems have bugs and that is why they enter your systems to alert you that they are vulnerable and tell you how you can improve them. Never confuse a hacker with computer thieves.

    1.    ChrisADR said

      Hello aspros, do not think that hacker is the same as "security analyst", a somewhat common title for people who are dedicated to informing if systems have bugs, they enter your systems to tell you that they are vulnerable and etc etc ... a true Hacker goes beyond the mere "trade" from which he lives his day to day life, it is rather a vocation that urges you to know things that the vast majority of human beings will never understand, and that knowledge provides power, and this will be used to do both good and bad deeds, depending on the hacker.

      If you search the internet for the stories of the best known hackers on the planet, you will find that many of them committed "computer crimes" throughout their lives, but this, rather than generating a misconception of what a hacker can or cannot be , it should make us think about how much we trust and surrender to computing. Real hackers are people who have learned to distrust common computing, since they know its limits and flaws, and with that knowledge they can calmly "push" the limits of systems to get what they want, good or bad. . And "normal" people are afraid of people / programs (viruses) that they cannot control.

      And to tell the truth, many hackers have a bad concept of "security analysts" since they are dedicated to using the tools that they create to get money, without creating new tools, or really investigating, or contributing back to the community ... just living day to day saying that system X is vulnerable to vulnerability X that Hacker X discovered… Script-kiddie style…

  5.   Jazz said

    Algun curso gratuito? Mas que nada para principiantes, digo, aparte de este (OJO, apenas acabo de llegar a DesdeLinux, asi que los demas posts de seguridad informatica no los he mirado, asi que no se que tan principiante o avanzado son los temas que estan tratando 😛 )
    regards

  6.   nuria martinez said

    This page is great it has a lot of content, about the hacker you have to have a strong antivirus to avoid being hacked

    https://www.hackersmexico.com/