Chris's Wiki :: blog/sysadmin/CompromiseParanoiaVsOptimism

There is a balance between optimism and paranoia for compromised machines

August 31, 2008

There is an important proviso for the first principle of analyzing compromised machines: in practice, most attacks are not that good or that thorough. In real life, as opposed to mathematically correct security advice, there is a tradeoff between your caution level and the amount of work you have to do (either in analyzing a machine or in reinstalling it) and sometimes it is appropriate to take some risk in exchange for doing less work.

The truly paranoid will reinstall machines from scratch (and never mind the disruption) if there is a chance of system compromise, such as you know that an account has been compromised. You do this because you make the most cautious assumptions possible; assume that the attacker knows some way of getting root that is undetected and unpatched, you assume that they were sophisticated and successfully hidden their traces, and so on. Even if you detect something, you can never assume that you have detected everything.

(At this level of paranoia, you should probably be using two factor authentication with smartcards and randomly reinstalling machines every so often, just in case. I suspect that few people are this paranoid.)

In my world it is often appropriate to be more optimistic about the lack of competence about our attackers (especially if we have detected the compromise in some obvious way, such as noticing a password cracker eating CPU on a login server). So I wind up doing things like simple system verification, and then conclude that the absence of evidence is evidence of absence (to put it one way), despite the zeroth law.

(This is another of the fuzzy compromises necessary for real computer security.)

Comments on this page:

From 71.65.56.124 at 2008-09-01 00:43:17:

I think I'd err on the side of paranoia. Ideally, I'd install another system from scratch and put it in place, while I run forensics on the compromised machine.

If you're lucky and it's an isolated case, no harm is done but the time expended, however the severity of a systemic infiltration warrants full investigation.

But then, I deal with financial data. Grandma's recipe database has different needs.

--Matt Simmons
http://standalone-sysadmin.blogspot.com

From 70.18.185.222 at 2008-09-01 20:20:25:

(At this level of paranoia, you should probably be using two factor authentication with smartcards and randomly reinstalling machines every so often, just in case. I suspect that few people are this paranoid.)

I'll just cough gently over here in a corner, but yes, I'll grant that my workplace (and specifically my department within my workplace) is a bit extreme in its paranoia.

-- DanielMartin, who can't be bothered to go look up his password yet again

By rdump at 2008-09-24 01:11:35:

You have to be very careful about judging an adversary's competence, however. It's easy to mistake a slapdash, quickie compromise, which leaves lots of signs about what was done, for all that was done. There isn't necessarily just one adversary.

Even more interesting, I've encountered some that will deliberately leave signs of a compromise that can be recovered from without a reinstall, while they take extra pains to hide their more thorough rootkit install. One guy even tried 3 levels of this; an account misuse, a sloppy loadable kernel module rootkit, and a very careful rootkit. They then watch for the recoveries, perhaps as a way of judging how likely other compromises of machines run by the same group are likely to be detected, before they go to town on the rest of the organization.

Written on 31 August 2008.

«	A realization about the recent Red Hat Enterprise security issue

Accept-then-bounce is no longer acceptable in mail systems