In the aftermath of a network attack, you must act quickly to recover systems and prevent further attacks. Two previous articles provided advice about the steps to take immediately after detecting an intrusion and the actions to initiate during the first hour or so. In this article, we'll focus on long-range measures you can implement to strengthen your defenses after the dust settles.
One of the main challenges in restoring systems is determining when those systems were compromised, how the systems were compromised, and what vulnerabilities were exploited to compromise them. The reality is that hackers rarely get in on their first attempt. They typically have to attempt to exploit a series of vulnerabilities or try a large number of username and password combinations before they find a crack in your systems' armor. Those attempts can, and often do, leave telltale fingerprints of the hacker trying to break down the doors. It's up to you to make sure that you record the attempts and that you have procedures or systems in place to notify you when an attack is being waged. So a key piece of your long-term security strategy—especially after a successful attack has occurred—is the development of a monitoring system that doesn't allow intrusions to go unnoticed.
When was the last time you reviewed the event logs on your servers or the firewall's logs? If you're like most IT professionals, you're too busy to check logs unless there is a problem. Of course, we all know that this isn't an ideal situation, but there never seems to be enough time.
After you've had someone break into your systems, it's important to make a point of doing periodic log reviews. Scheduling a log review for first thing Monday morning means you might have it done by the end of the day Monday. It also gives you a chance to look at what happened over the weekend—when most hackers launch their attacks because they know that no one will be in the office to stop them.
The first week you're back on the Internet after an attack, you should review the logs every day or every few hours, since it's likely that the hacker will be jiggling the locks on all of the doors he or she opened before you discovered the intrusion. If you don't want to manually collect all of the logs from every system and would prefer to receive alerts when certain events occur, you can implement Microsoft's Operations Manager. You can learn more about this from Jim Boyce's article "Handle the enterprise with Microsoft Operations Manager."
With log reviews, there's an inherent delay between when an attack occurs and when it's discovered. Even if you're reviewing logs daily, an attack can go unnoticed for hours—which leaves a lot of time for a hacker to try to find the right opening in your systems. That's where intrusion detection comes in. An intrusion-detection system (IDS) constantly watches your network and alerts you or takes other actions when an intruder is detected.
IDSs can work with your existing firewall to add filters to prevent the attacker from making further progress. By adding an explicit "deny" rule for the location that the attack is coming from, you can prevent the hacker from making any progress on hacking into your systems—ever.
More about intrusion detection
- "Implementing an intrusion detection system on your network"
- "Enhance intrusion detection with a honeypot"
Perform an external security audit
I keep two systems out on the Internet, hosted in a colocation facility, that are secured but are not behind a firewall. They're out there for the explicit purpose of allowing me to perform quick intrusion tests for any of our clients. One of the systems is a Linux box that can run a series of open source vulnerability analysis tools, such as Nmap and Whisker. The other system is a Windows machine that runs a different set of tools, including Foundstone's SuperScan and N-Stalker's N-Stealth.
Why are there two systems running two different sets of tools? The answer is simple: No single tool can provide a complete vulnerability assessment. Each tool has its limitations and quirks. It would be expensive for an organization to maintain a set of systems outside the firewall, to purchase multiple scanning packages, and to learn them well enough to run them effectively. For this reason, it's important to engage an independent firm to perform an external security audit. When interviewing the firm, you should ask about its experience and the types of tools it uses to identify vulnerabilities.
After a hacker has gained access to your network, you may want to change every password. This means every user and service account password on every server and every device. On the surface, this might seem like an easy thing to do. But, in reality, it's an exhaustive process that can take a substantial investment of time.
The reason you may want to change every password is that it's possible—depending on the machine that was hacked and the type of intrusion—that some or all of the passwords on the system were compromised. A hacker who has obtained all of the users' passwords will eventually try to gain access again using valid usernames and passwords. The only way to be certain that the hacker doesn't have any valid accounts is to change all account passwords.
Before taking this plunge, consider these three things:
- All user accounts will need a new password. This is potentially disruptive to the users; however, in a Windows 2000 environment, the passwords can be changed with a minimum number of keystrokes.
- Changing the services account passwords could prove to be a more daunting task, since every server will have to be rebooted to confirm the new passwords for the service account. It also means that network-level service account password changes will need to be coordinated so that all the servers using the service accounts can be changed at the same time.
- Changing all of the device passwords can be tricky. Myriad devices within your network have their own usernames and passwords. Unless you've developed a list somewhere, it's likely that you'll forget at least one or two devices. The critical ones, such as your routers and firewalls, may be easy to remember. However, it may not be so easy to remember the passwords on print servers, security cameras, and other network-attached devices.
Ultimately, whether you decide to change all of the passwords depends on your willingness to skip a step that might cause your network to be hacked again. For environments where security is vital, you may have to change every password.
Recovering the security of systems once they have been compromised is painful. Often, IT pros are so exhausted after the first battle that they forget to prepare for the war. But if you build the right barriers and construct the right kind of surveillance to determine when an attack occurs next time, you should be able to stop the barbarians before they breach your network.