Re: Is it overkill to wipe a machine after success...

d46j48fx · ‎08-04-2019

Colleagues,

I would appreciate your "best practice" responses to the question, "Is it overkill to wipe a machine after successful phishing attempt?"

Scans from two different AV products plus a rootkit scan came up empty on the user's machine. I play a paranoia card (the user didn't report the compromise AT ALL. We found out when another event occurred.) The help-desk is pushing back with "Wipe, re-image and restore is gonna take us forever! There was nothing found on the machine so...yah...gonna ignore your recommendation."

In my organisation the security function is integral to the IT team, as opposed to being organizationally separate. You can no doubt appreciate why the above tug-of-war is happening. This has been addressed in a recent external security assessment and I know what result I'm fighting for. However, for now, I would appreciate your thoughts on, "Wipe or Don't Wipe?"

Thanks!

DL

denbesten · ‎08-04-2019

@d46j48fx wrote:
The help-desk is pushing back with "Wipe, re-image and restore is gonna take us forever! There was nothing found on the machine so...yah...gonna ignore your recommendation."

I would appreciate your thoughts on, "Wipe or Don't Wipe?"

Wipe. If anybody has any suspicions, wipe.

That said, the help desk is right to complain about MTTR, Users have jobs to do and incident response prevents them from getting their work done. Instead of fighting for downtime, fight for tools, techniques and procedures that quickly and securely get the user back to normal.

Here are a how we do it:

Use One Drive (or similar, such as dropbox) to continuously back up user data.
Use folder redirection to ensure that One Drive backups up any folders where users stash stuff, such as desktop, documents, pictures, etc.
After you have completed any in-memory analysis (if you do that sort of thing), shut down the machine, swap in a pre-imaged hard drive and give the machine back to the user.
Use group policy to reinstate OneDrive and other configuration items when a user logs in for the first time.
Let the user know that you will continue to look into the incident for the next few days and that you will let them know what you found and if there is need for additional remediation on the "new" machine.
Pop the hard drive into a spare PC (preferably as a non-boot drive) to continue with a more comprehensive analysis after the user has returned-to-normal.
Keep the old drive around for a few weeks so that you can refer to it if the user needs something (e.g. a printout of add-remove programs). Then, wipe it and it becomes a pre-imaged hard drive.

d46j48fx · ‎08-05-2019

Thanks for the response!

The only issue is that the type of device typically used in our org has a non-removable storage drive (not w/o voiding warranty). We can give the user a loaner device while we investigate further, which gives us the best of both worlds. We also have Onedrive. The only remaining helpdesk pushback would be time and resources to wipe, reimage and restore...and if the bellyaching gets too loud I guess Infosec can do it. After all, for helpdesk, it's, "Next ticket!", whereas for infosec it's, "What happened? How? Next steps?" In other words, we have more of a vested interested in the "gateway" device than the helpdesk.

MikeGlassman · ‎08-05-2019

I'm going to be a bit harsher here.

The help desk does not get to make decisions of a security matter when it could mean damage to the whole organization. Their job is to ensure smooth operations, and if that means re-imaging a machine, then that's exactly what they do.

Wiping a machine before re-imaging is a waste of time, if your re-imaging procedure restores a full disk image, as that overwrites anything on the machine.

I'm not quite clear on the issue of "restoring". Why would you need to restore a users workstation at all ? Do you not utilize file servers for the storage of organizational material ? Any personal stuff that was on the workstation prior to the issue, well, sorry, but tough s**t. Organization safety comes first.

Personally, I shudder away from allowing organizational users to save data to places like One-Drive or dropbox. We don't allow any such backups at all. If anything, purchase Box or some form of organizational solution which you can control in every way (especially anything that has to do with the ability of a user to share rights on their "drive").

But, again, if you have an organizational file server, there is no need for any backups at all (unless of course you use Office 365 or some such which allows your users to save data to the cloud.

Organization first.

Help desk are enablers, not decision makers.

No cloud unless you have complete control.

Re-install when you are unsure.

Sincerely,

Mike Glassman, CISSP
Iguana man

Frank_Mayer · ‎08-05-2019

It depends on what threat executed the successful phishing attempt. If it was a nation state or organized crime attack by a capable adversary, then it is not a bad idea. If it was a script kiddie, then maybe it is an overreaction. Here is an article you can show the team to awaken them to the advanced threat https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/?verso=true

Vendors of Security Software like Symantec have their recommended process, see https://support.symantec.com/us/en/article.tech122466.html

In the link above you can see Step 4: Clean the infected computers and this is the key quote from their guidance "determining the extent of the damage done to a computer is difficult and may increase the difficulty of removing all malicious functions from the computer. Under such circumstances, it is often less time consuming to re-image the operating system and restore needed data from clean backups." (see link above)

I am a fan of doing an entire clean re-image from a know clean source and restoring from known clean backups if your dealing with a sophisticated threat or if you don't know who you are dealing with in terms of means and motivation. The evil doers are very insidious and unless your management has a huge appetite for risk just to save staffers some time, then I would flatten the infected systems and start from a known clean fresh start.

Again, a true risk management based decision is needed and the link above provides some options.

Respectfully,

Francis (Frank) Mayer, CISSP EMERITUS

Frank_Mayer · ‎08-05-2019

Mike, you are spot on. Too many people in the business "allow the tail to wag the dog." The information technology, make it work at any cost teams, and security teams need to make their case to a manager/executive for an authorized risk decision when there is a disagreement that cannot be resolved easily.

The Information technology help desk group and/or application development group should never get to overrule security unilaterally. Only authorized managers get to make serious risk decisions and too many in the business forget that fact at their peril.

Respectfully,

Francis (Frank) Mayer, CISSP EMERITUS

AppDefects · ‎08-05-2019

@d46j48fx wrote:
Colleagues,

I would appreciate your "best practice" responses to the question, "Is it overkill to wipe a machine after successful phishing attempt?"

Successful? That means lateral movement and exfiltration of data? Dude, you have a bigger problem then the user device...

rslade · ‎08-05-2019

> d46j48fx (Newcomer III) posted a new topic in Tech Talk on 08-04-2019 08:22 PM

> Colleagues, I would appreciate your "best practice" responses to the question,
> "Is it overkill to wipe a machine after successful phishing attempt?"

I'd say that, for phishing, a wipe is not only overkill, but ineffective. Phishing
goes after passwords or other credentials. In combination with a RAT or other
malware a wipe *might* be useful, but for simple phishing it isn't the answer.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
What the caterpillar calls the end of the world, the master calls
a butterfly. - Richard Bach
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

denbesten · ‎08-05-2019

@MikeGlassman wrote:
...well, sorry, but tough s**t. Organization safety comes first.

Kudos to you if you can get management buy-in to that level. In my world, the priority is "making widgets". Anything , including "I.T. security", that gets in the way of widget production is a risk requiring remediation. Makes it much more important to come up with nuanced, balanced security solutions.

If anything, purchase Box or some form of organizational solution which you can control ...

Sounds like your experience with One Drive may be limited to personal accounts. When tied to an enterprise account, it is a different beast:

It leverages AD and ADFS for IDAM, including MFA.
It allows simultaneous collaboration on a single document, which is a great business enabler.
Synchronization is to SharePoint(.com), which replaces "organizational file servers".
Team shares can be synchronized (or blocked), solving certain DR border cases.
It interacts with MS's DLP solution and can organizationally limit who can share with whom (addressing @MikeGlassman's primary concern).
Users can self-restore either a file or a PC to "yesterday" (and as far back as "last month"), which is great for when somebody accidentally deletes a dozen slides out of their deck and also for ransomware recovery.
Users know that if there is no green check mark, their file is not being backed up, which is great for user comfort level and for validating backups are operational.

Without question, One Drive had its "challenges" over the years, but it substantially matured in recent revisions and they continue to improve it. Notably, they are now working on encryption at rest. Hopefully, they will next make encryption the default and add the ability to remotely blow away encryption keys

MikeGlassman · ‎08-06-2019

@denbesten

Morning,

I have no problem with balanced security solutions. I have a huge issue with companies that put money before security, causing untold damage down the road to end users (be they organizational users or public users of apps or software).

If your management chooses to put their own issues before safety (cyber security wise), then I truly feel for you. That is not a place I want to stay at, although I can understand someone else choosing to do so.

I am very "black" or "white" on that issue, and yes, it causes issues here where I work as well, but I stand by my beliefs. Management can always make other decisions, but I promise you that I will insist on writing my reservations down as part of the discussion and having it on record for when something occurs. My parents did not an idiot raise. Crazy yes, idiot no.

Regarding One Drive, my experience is organizational. Sadly, the experience we have had with it in the past has been horrendous, up to and including lost data and malicious code. Granted, the corporate entity in charge of the managing and setting up of it was the system (Microsoft) group, but it was enough to make me vary weary of it as a service.

In any case, we cannot allow (due to the data we hold), users to back their ws's up to the cloud. Not to say that it would absolutely kill our bandwidth which is not all that great as it is. We much prefer on site servers for organizational data, and are slowly developing the matrix which will allow data sharing in specific areas, but it's not simple at all sadly.

In any case, it won't be backups, it will be data sharing.

Again, I am not putting down anything anyone else does, because I understand that not everyone (not even close) has the management backing that we have here for cyber issues. I also know how hard it is to get people who see one thing in their sights, to see, understand and accept something else.

Our world is not an easy once.

Sincerely,

Mike Glassman, CISSP
Iguana man