ISO Consensus Papers
ISO Consensus Paper: Cleaning Compromised Systems
ISO Consensus papers present the expert security perspective of the Information Security Office staff at the University of Texas at Austin.
A compromised system is more than just a “hacked” computer. A compromised system can be used to attack other systems and is generally considered a threat to all other systems connected to a network. Besides being a threat, a compromised system can also be a liability, exposing many types of sensitive data, such as:
In an educational environment such as the University of Texas at Austin, a compromised system can be especially damaging because we store or process SSN and other protected student data. A single incident could cost hundreds of thousands of dollars in mitigation and notification, not to mention the bad publicity and impact on the alumni and donor communities.
The purpose of this paper is to provide best practices and recommendations when remediating compromised systems. The ISO has intentionally avoided creating a specific “how-to” document due to the number of possible scenarios that would need addressing, as well as the ongoing maintenance that would be required for the document to remain effective. Links and directions to more specific information are provided at the end of the document.
Here are some common types of attacks that compromise computer systems:
There is only one sure way to secure a compromised computer: It is the opinion of the Information Security Office (ISO) that the only dependable way to secure a compromised system is to tear it down and rebuild, that is, format and reinstall from trusted media. Once a system has been compromised, nothing on the system can be trusted. System binaries, data, passwords, logs, and processes are all assumed to be untrustworthy and should be eliminated. Hopefully you will have reliable backups, as required by Sec. 1.1 in the Minimum Security Standards for Systems, and the backups have not been compromised.
Attempting a manual recovery of a compromised system: If you cannot rebuild the system from scratch and plan to manually remove the malicious code, please continue reading the ISO recommendations and observations that should be considered before connecting the compromised computer to the network.
Identifying the Compromise
Crime fighting toolkit
When attempting to locate malware on an infected computer, you will want to have a wide range tools at your disposal. You should have tools for:
When using tools that detect viruses or rootkits, it is recommended that you use software from multiple vendors. Doing this will provide greater coverage and produce a higher rate of detection.
Virtualization software is a critical element of your toolkit. It is especially useful when attempting to determine the possible damage that a particular piece of malware could cause by allowing you to purposefully infect a virtual machine and then collect data without any messy rebuilds. Simply shut down and restart your virtual machine and you’re ready for the next infection. It should be noted that intentionally infecting a computer, virtual or not, could produce undesirable results, infecting other hosts on the network. It is therefore recommended that this be done with extreme caution and only in a controlled, limited environment.
Your detection tools can’t be trusted
It is not uncommon for an infected computer to show no visible signs of compromise. Rootkit creators use various techniques, which are constantly changing and evolving, creating an “arms race” between good and evil. Techniques such as kernel hooking and process injection are two of the more common methods used by malware today. These techniques hide system information, such as running processes and network activity, from your administrative and detection tools. Replacing binaries, hidden files and alternate data streams (ADS) are also commonly used techniques. This is why the ISO ultimately recommends wiping out and rebuilding a system with a suspected compromise.
Once you have identified and removed the compromise, there are some steps you should take to ensure that the machine is protected from further exposure. This is particularly important if you are manually removing compromised code.
Change your passwords
After a compromise, be sure to immediately change all your passwords on all related trusted systems. Attackers commonly use passwords obtained from compromised systems to gain access to new systems. This is especially important if you are like many people and use the same password for different accounts. It is in your best interest not to use the same password for different accounts.
Harden your system
As you are eliminating the malicious code, it is a good opportunity to harden the compromised system to prevent future attacks.
Fortunately, following a common set of security best practices will be beneficial, while simplifying and ensuring the appropriate security controls are in place for all of your IT resources. These best practices can include a few of the basic tasks such as shutting down unnecessary services, running a host-based firewall, anti-virus software and operating system security patches. When dealing with systems that provide application services to other computers, you should also consider the service itself. This means taking the necessary steps to secure a specific service, such as a Web server or a database.
Before you reconnect to the campus network with the system that was compromised, be sure that you are in compliance with all policies and standards. The university offers a set of specific security standards that must be considered before placing a computer on the network. These standards should help administrators determine what level of security granularity will be required for data protection.
Send computing questions to the ITS Help Desk or call (512) 475-9400.