RE: Network Compromised

["Murda Mcloud" <murdamcloud () bigpond com>]

How do you know that the network was compromised and that 'the same
attacker' got onto your home system?

As Mike says, getting a competent team will be expensive and whether you
choose to go down that path depends on many things, not least how seriously
you/your company take the breach and what the attacker may have gained from
it. Proprietary info? Client data? 

First thing would be to try and move as quickly as possible because if
people are still using the breached systems and/ or the attacker still has
access then what is potentially disappearing is evidence/data. Obviously,
trying to get the balance between things like imaging drives or taking
systems down with the need to keep working is a tough call, in any company.

If the attacker is an outsider and is potentially doing huge damage, pulling
the plug on external connections may be an idea for a short period of time.
This is probably a worst case scenario though.

If he/she/them is an insider, then it's imperative that you find out who it
is asap.

Last thing, just reinstalling the OS at home may not give you any clues as
to what happened and whether it could re-occur. How confident are you that
they still can't get access? Which way round did it happen? From your
machine to the office network or from your office network to you home
machine. Ie, where did he compromise first.

Apologies for only having more questions for you but that's what starts to
run through my head when I think an incident(s) has taken place. That way I
can concentrate on what facts I need to gather and where I can get them
from.
> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > On Behalf Of Mike Hale
> > Sent: Friday, August 01, 2008 1:24 AM
> > To: Evan D. Blackmore
> > Cc: security-basics () securityfocus com
> > Subject: Re: Network Compromised
> >
> > If you're going to attempt to present it as evidence, you don't do it
> > yourself as it sounds like you have no experience in this arena.  You
> > need to contact someone local who's done these things before.  As
> > Craig Wright lives in Australia, he may have some recommendations for
> > you if he's not too busy at the moment.
> >
> > Unfortunately, it will be expensive; competent security services don't
> > come cheap.
> >
> > On Wed, Jul 30, 2008 at 10:22 PM, Evan D. Blackmore
> > <evan.blackmore () advproj com au> wrote:
> > > Hi all
> > >
> > > Recently the network at my place of employment was compromised the only
> > > evidence I could easily recovery was the attackers dhcp lease on our
> > > network. This same attacker also got onto my network at home and onto
> > my
> > > personal machine (teach me for not keeping my firewall up to date) I
> > > took the easy option at home and just reinstalled the operating system.
> > > I can't do that at work however........the thing is I'm not sure if he
> > > did anything while on my work network. I thought that he may have
> > gotten
> > > my logon when he compromised my machine (I use a vpn from home) but the
> > > date of the dhcp lease indicates that he was on my employers network
> > > first.
> > >
> > > I rang the cops (computer crime) and they told me that I would have to
> > > investigate it myself so I'm posting to get some advice on how I might
> > > go about this or if it is even necessary. I'm familiar with forensics
> > on
> > > Linux boxes as I did it at uni but we run a Windows based network here.
> > >
> > >
> > > Regards,
> > >
> > > Evan Blackmore
> > > Advanced Project Solutions
> > >
> > > Office - +61 8 9441 5700
> > > Direct - +61 8 9441 5773
> >
> >
> >
> > --
> > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0