151

In the UK, the company TalkTalk was recently hacked.

It was later discovered, after 'investigation' that the hack was not as serious as it could have been (and less than expected).

I'm wondering: How do organizations (not necessarily TalkTalk -- that's just what prompted me to ask) check what has been hacked? I'm sure there are many ways; but what are the 'main' ones?

sleblanc
  • 115
  • 5
ᔕᖺᘎᕊ
  • 1,283
  • 2
  • 9
  • 8
  • 1
    In this case - probably by asking the hacker: http://www.wired.co.uk/news/archive/2015-10/26/talktalk-arrest – Sobrique Oct 28 '15 at 10:01
  • 4
    Besides all the great answers, and only as a side-point comment: The public most often gets a result maybe resulting from forensics, in which case the answers apply. Consider also, that any result like "oh, it was really not thaaat bad", can only be a bloody lie of the companies. So with respect to determine "*what* has been hacked", a substantial part of what the public sees can also be have traces or PR and marketing and not only forensics. Even though maybe you choose to disregard this when posing the question, the picture would be incomplete without this mentioned – humanityANDpeace Oct 28 '15 at 10:06
  • @humanity I guess that's possible, I didn't really think of it like that.. :/ – ᔕᖺᘎᕊ Oct 28 '15 at 10:19
  • 4
    IMHO they haven't actually discovered specifically what was hacked they have simply guessed based on what was leaked and said that as a PR statement to try to lessen the perceived damage. Given the poor level of security in the first place I doubt they have secured logging that can be trusted. – JamesRyan Oct 29 '15 at 14:49
  • @JamesRyan I also thought the same, as the statement was very quick and seemed odd, but honestly, I don't care about *TalkTalk* :P -- it was just an interesting topic that made me curious. I just used TalkTalk as an example. – ᔕᖺᘎᕊ Oct 29 '15 at 15:06
  • I think one major problem with how these are handled now is that investigation 'experts' do take compromised logs as evidence, it seems as if it would be all to easy to alter logs to point to someone else's IP and SWAT a completely innocent party. – JamesRyan Oct 29 '15 at 15:26
  • @JamesRyan [gowenfawr's comment](http://security.stackexchange.com/questions/103805/how-do-companies-check-what-has-been-hacked?noredirect=1#comment180783_103808) kind of explains that – ᔕᖺᘎᕊ Oct 29 '15 at 15:27

9 Answers9

176

In a word: Forensics.

Computer forensics is the art of examining a system and determining what happened upon it previously. The examination of file and memory artifacts, especially file timelines, can paint a very clear picture of what the attacker did, when they did it, and what they took.

Just as an example - given a memory dump of a Windows system, it is possible to extract not only the command lines typed by an attacker, but also the output that they saw as a result of running those commands. Pretty useful in determining impact, eh?

Depending on the freshness of the compromise, it's possible to tell quite a lot about what happened.

@AleksandrDubinsky suggested that it would be useful to outline the various Computer Forensic fields and techniques, which I'm happy to do for you. They include, but are not limited to, the following (I'm going to use my rough terms; they aren't official or comprehensive):

Log/Monitor Forensics: The use of 'external' data such as centralized logs, firewall logs, packet captures, and IDS hits straddles the line between "Detection" and "Forensics". Some of the data, like logs (even centralized) cannot be trusted to be complete or even truthful, as attackers can filter it or inject it once they have control of the system. Off-the-system packet logging tools like the firewall, IDS, or packet recorders (such as (formerly)NetWitness) are unlikely to be tampered with, but contain only a limited amount information; usually just a record of IP conversations and sometimes signatures (such as HTTP URLs) associated with malicious activity.

Unless an unencrypted network connection was used in the compromise, these tools are rarely able to detail the activity during a compromise, and so (going back to the original question) don't "check what has been hacked." On the other hand, if an unencrypted connection (ftp) was used to exfiltrate data out, and full packets were recorded, then it's possible to know exactly what data the attacker ran away with.

Live Forensics: More properly part of Incident Response, so-called "Live" forensics involves logging into the system and looking around. Investigators may enumerate processes, look in applications (e.g. browser history), and explore the file system looking for indications of what happened. Again, this is usually designed to verify a compromise happened, and not to determine the extent of a compromise, since a compromised system is capable of hiding files, processes, network connections, really anything it wants to. The plus side is that it allows access to memory-resident things (processes, open network connections) that aren't available once you shut the system down to image the disk (but, again, the system may be lying, if it's compromised!)

Filesystem Forensics: Once a copy of the disk has been made, it can be mounted on a clean system and explored, removing any chance of the the compromised operating system "lying" about what files are in place. Tools exist to build timelines using the variety of timestamps and other metadata available, incorporating file data, registry data (on Windows), even application data (e.g. browser history). It's not just file write times that are used; file read times can indicate which files have been viewed and also which programs have been executed (and when). Suspicious files can be run through clean antivirus checkers, signatures made and submitted, executables loaded into debuggers and explored, "strings" used to search for keywords. On Unix, "history" files - if not turned off by the attacker - may detail the commands the attacker entered. On Windows, the Shadow Copy Service may provide snapshots of past activity that has since been cleaned up.

This is the step most commonly used to determine the scope and extent of a compromise, and to determine what data may or may not have been accessed and/or exfiltrated. This is the best answer to how we "check what has been hacked."

Disk Forensics: Deleted files disappear from the filesystem, but not from the disk. Also, clever attackers may hide their files in the "slack space" of existing files. These things can only be found by examining the raw disk bytes, and tools like The Sleuth Kit exist to rip that raw data apart and determine what it means about the past. If there was a .bash_history file, and the attacker deleted it as his last step before logging out, then that file may still exist as disk blocks, and be recoverable. Likewise, attack tools that were downloaded and temporary data files that were exfiltrated can help determine the extent of the compromise.

Memory Forensics: If the investigator can get there soon enough, and get a snapshot of the memory of the system involved, then they can thoroughly plumb the depths of the compromise. An attacker must compromise the kernel to hide from programs, but there's no way to hide what's been done if a true image of kernel memory can be made. And just as the disk blocks contain data that has since been removed from the filesystem, the memory dump contains data that was in memory in the past (such as command line history and output!) that has not yet been overwritten... and most data is not overwritten quickly.

Want more? There are training programs and certifications to learn Forensics; probably the most common publicly available training is from SANS. I hold their GCFA ("Forensic Analyst") certification. You can also review the Challenges from the Honeynet Project, in which parties compete to unravel the cases given disk images, memory dumps, and malware samples from actual compromises - they submit their reports of what they found, so you can see the sorts of tools used and findings made in this field.

Anti-Forensics is a hot topic in the comments - basically, "can't the attacker just hide their traces?" There are ways to chip away at it - see this list of techniques - but it's far from perfect and not what I'd call reliable. When you consider that "the 'God' of cyberespionage" went so far as to occupy the firmware of the hard drive to maintain access to a system without leaving a trace on the system itself - and still got detected - it seems clear that, in the end, it's easier to detect evidence than it is to erase it.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 2
    Some companies may also have retroactive log analysis as a tool, where data on intrusions is collected, but not acted upon. This is worryingly common where the security of the business is not considered as worthy of full time staff. In this case, logs may contain all the details about the data accessed, but no-one is looking at them until a breach is found through other means, whether media reports, or customers complaining that their accounts have been accessed. – Matthew Oct 27 '15 at 11:50
  • 8
    Wouldn't a concerned attacker clean all that information prior leaving the system? In the end memory is limited, the attacker can either be able to access that part of the memory to wipe it or he can flood that memory to replace old contents with new ones. Couldn't he? – YoMismo Oct 27 '15 at 14:18
  • 29
    @YoMismo, the short version is, "It's not that easy." While many attackers will try to clear their tracks from disk, even that's not easy - that's what timeline analysis is all about, inferring activity from metadata. Very few go further and try to limit their memory footprint, and it's impossible to do totally - at the very least, you leave a footprint of your footprint clearing program! “All data leaves a trail. The search for data leaves a trail. The erasure of data leaves a trail. The absence of data, under the right circumstances, can leave the clearest trail of all.” - C.S. Friedman – gowenfawr Oct 27 '15 at 14:37
  • @YoMismo State funded hackers may do that. Even then, they may fail. – PyRulez Oct 27 '15 at 16:07
  • 1
    Thanks for adding the details. I agree with Alex that before the addition of the detail the answer just points to an equally undefined word of "forensics". For an answer to be useful you have to talk at a level familiar to the audience. If you know what computer forensics are, you already know the answer to the question. – Steve Sether Oct 27 '15 at 19:06
  • 3
    @YoMismo, ...once upon a time, when designing a particularly sensitive system, I did logging over a serial line with the pins for read communication cut -- literally, a write-only interface, with the system on the other end accessible only by someone physically entering a secured area. There's quite a bit one can do when the situation warrants. – Charles Duffy Oct 27 '15 at 23:04
  • 1
    For some kinds of attack, such as Heartbleed, there are unlikely to be any logs sufficiently detailed to provide the necessary information. In cases like that, it may not be possible to determine whether an attack has happened, so you have to assume the worst. This is why you will sometimes see prudent companies say things like ["we might have been hacked, or maybe not, but please go change your passwords anyway."](https://blog.lastpass.com/2015/06/lastpass-security-notice.html/) – Kevin Oct 28 '15 at 01:04
  • Aren't there write-only files to prevent the erasure of traces? – gerrit Oct 28 '15 at 10:38
  • 1
    @YoMismo `Because all its parts are connected, the environment around the enemy contains invaluable messages of their activity. By reading this environment, you are reading their designs. Even the dust speaks. This is not book knowledge. This is not even knowledge of the extraordinary and orthodox. This is a scout's observations from the field. Since anything that occurs affects everything around it, the smallest phenomenon leads you to the complete view. This is true from scout's knowledge to the general's total vision.` Moving the army The Art of War Sun Tzu – armani Oct 28 '15 at 21:46
  • @gerrit, any file protections that are enforced by the operating system can be subverted once the OS itself is compromised. While [WORM](https://en.wikipedia.org/wiki/Write_once_read_many) hardware exists, it would only be useful for (as an example) logfiles, and it's not practical enough that I've ever seen someone do it IRL - sending logs over the network to a SIEM is much simpler and equally as effective. – gowenfawr Oct 29 '15 at 12:44
  • @gowenfawr I was thinking of proper hardware write-only devices. But if the entire *network* is comprimised, wouldn't WORM hardware (physical printing of logfiles on dead trees should do the trick?) be more secure? – gerrit Oct 29 '15 at 12:58
  • @gerrit then your logs would record signs of the compromise right up until the attacker gets to the point where they get control of the log daemon... and your ability to analyze those logs would be incredibly curtailed (you can't `grep` paper!) – gowenfawr Oct 29 '15 at 13:26
  • @gerrit the volume of data that modern applications log generally far exceeds the ability to print. But in general, writing to an indelible media (non-RW optical drives for example) would be a viable approach. – Steve Sether Oct 29 '15 at 15:45
  • Within the scope of the hack it is incredibly easy to clear their tracks. Everything on the disk is just data, if the hacker had root they can change the logs, they can change the history, they can change the backups. Unless your evidence is recorded outside of the compromised system then it can not be trusted to be accurate and can only used as an aid. – JamesRyan Oct 29 '15 at 15:52
  • @Peter no, forensics are often unreliable because false assumptions are made and in the future it is likely that convictions will be overturned as awareness rises that using compromised data as evidence is unsound. – JamesRyan Oct 29 '15 at 17:40
  • @YoMismo They absolutely try to erase things. I remember when a sysadmin I worked with said the most secure log available as a dot matrix printer printing log messages on continuous feed paper. He claimed that, because the hackers knew this, it was not uncommon to start a hack by sending a massive quantity of loggable events towards the server, literally running it out of log paper so that it failed to record the actual hack. – Cort Ammon Oct 31 '15 at 22:32
  • @CortAmmon so you will agree with me. It may not be easy but it is definitely possible. I am interested in **what** and **how**, that information may or may not be accessible. But I am very much interested in knowing **WHEN**, since you may allways be hacked (no matter the messures you take since there are so many variables that you can't take all of them into account) **when** seems the key point to take counter messures in case of a breach. I like to think of this as murder, police can catch the killer, he can escape, or the crime wasn't noticed thus never investigated. – YoMismo Nov 02 '15 at 07:49
  • "This is the step most commonly used to determine the scope and extent of a compromise." And one of the most easily defeated. Before accessing the file, an attacker can simply read the existing timestamps. Then they open the file with "backup semantics" and finally write the previous timestamp(s) after the target data is exfiltrated. The net effect is undetectable file system access. Backup semantics alone generally result in an undetectable read operation. Systems are compromised far more often than the system operator knows. The only correct approach is to assume everything is compromised. – CubicleSoft Nov 02 '15 at 14:19
  • @YoMismo You can't always guarantee you can find out exactly when. You can make your logs better and make your logs safer, but in the end, once you think you might have been breached, its a matter of following breadcrumbs. The more general the trails are, the more likely it is that a hacker will be aware of it and either erase it, or potentially just sidestep it all together. The more specific the trails are to your network, the more difficult it is for them to prevent you from seeing things. The best advice I have is defense in depth. Never rely on one countermeasure to do it all. – Cort Ammon Nov 02 '15 at 15:11
  • @YoMismo see the text I just added to the answer about anti-forensics, includes a link to the "what and how" attackers can do to try to cover their traces. Be aware it's a very imperfect science, and that even the pros get caught despite these methods. – gowenfawr Nov 02 '15 at 21:26
  • @gowenfawr thanks for the new links, they are very enlightening. I agree with the fact that traces are left and there are so many variables that you can't take all of them into account (from both points of view attacker and forensic), thus leaving traces for forensic analysis in one case or being able to hack a system in the other. The thing is that you can't investigate an event if you haven't noticed it. Those groups your second link talk about were noticed, but what about the individuals, institutions of governments that weren't? we will never know about those. Take Cuckoo's Egg as an ... – YoMismo Nov 03 '15 at 11:47
  • example, that hacker was noticed because of some cents in some account didn't match. A concerned technitian started to investigate and end up with a hacked machine, but what about those machines with that account inconsistency that may have been ignored? what about those machines that were never noticed a hack took place? you can't investigate that because it hasn't been noticed. – YoMismo Nov 03 '15 at 11:54
  • @YoMismo, that's actually a topic I've spent a lot of time grappling with, but it's veering far afield on this question. You've got a good new top-level question in there - how to deal with the "unknown unknowns", as Rumsfeld put it. – gowenfawr Nov 03 '15 at 12:30
20

Working within the technology sector, how I would do it would be as follows:

  1. Find the hack, the hole, the weak spot.

  2. Check the syslog, dmesg, access.log and error.log to confirm the thesis. (when hacking in to a network you normally have the break the system in the case of TalkTalk it was a MySQL injection, doing this would have left errors in the mysql.err log as to break in you have to break it.)

  3. Replicate the hack, replicating the hack will allow you to see how deep the hack can go and allow you to estimate the damages.

If you find the hole, you can replicate the attack, replicate the attack and you will see what the attacker saw.

Aaron Hall
  • 159
  • 1
  • 1
  • 9
TheHidden
  • 4,265
  • 3
  • 21
  • 40
  • 4
    This answer is a good addition to the other answers, since it addresses that a 'hack' does not in general give full access to a system, but is more often than not a leak in a specific part of the system. – Sanchises Oct 27 '15 at 12:42
  • 6
    Why didn't you used a numbered list? (you can replace `,` with `.` to do this) – A.L Oct 27 '15 at 13:01
  • 6
    because i didn't want to. – TheHidden Oct 27 '15 at 13:18
  • 4
    I don't think this is accurate. Firstly by 'MySQL injection', I assume you just mean 'SQL Injection', it's not a vulnerability that's limited to MySQL. Secondly, I don't think there would necessarily be any trace in the database's error log, if my injection attack is to change: ...where userId = '123' into ...where userId = '' or 1=1 this is perfectly valid SQL and the database would not identify it as an error. – DaveyDaveDave Oct 27 '15 at 14:02
  • @DaveyDaveDave I said MySQL because I use MySQL databases it is just a habit to type it, but yes you are correct. secondly you would be assuming that it was a data manipulation rather than an injection. I doubt it very much that they had such a small sql statement that it wouldnt have caused an error, especially in the talk talk reference. to get the kind of information the hacker did it would have had to be a number of sql statements and he most likely ended it with ;-- but anything else past this would most likely throw an error. I can pass you onto a nice game if you would like 2 try it. – TheHidden Oct 27 '15 at 14:29
  • @DaveyDaveDave also forgot to mention, a great way of getting a tables scheme is to break the code on purpose, also i doubt the first injection worked first. If i wanted to get into a SQL database I would first try and find a map so I can take the correct doors. – TheHidden Oct 27 '15 at 14:33
  • 1
    @silverpenguin: reasonable points, but all I was trying to show is that your general assertion of "to break in you have to break it", is not necessarily true. – DaveyDaveDave Oct 27 '15 at 14:36
  • @DaveDaveDave SQL servers typically log queries that were made against the database. It's pretty easy to find that one query that includes `or 1=1` in the query string, because that's not something a normal SQL query would use in most cases (it'd set of warning bells in my mind, at least). At minimum, simple forensics can tell us what unusual queries have been run, especially if most queries use binding statements, and so would constitute the majority of all queries ran. – phyrfox Oct 28 '15 at 18:34
7

In addition to the excellent answer on Forensics (and comments) some organisations use intrusion detection systems such as 'Snort' (network intrusion detection) and OSSEC (host based detection system) as well as many others by vendors such as Cisco etc. which record various aspects of unusual or unauthorised behaviour.

For example, host based intrusion detection systems often log file changes on servers so a forensic investigation can show which files have been changed within a given period and a forensic investigator can use this to piece together activities of some users or attackers.

Attackers will also leave traces in logs all over the infrastructure from firewall logs, to server logs, service logs (web, smtp etc.) and these can provide vital clues. However, it is possible for attackers to change these logs unless they have been designed to be secure and unalterable e.g. by centralising logs on a write-only medium.

Once an attacker gains privileged access the gloves are off and logs can be tampered with or deleted.

In the end it will rest on readiness - whether the organisation has prepared for intrusion and the forensic exercise that will follow. This should be part of every company's security planning.

David Scholefield
  • 1,824
  • 12
  • 21
  • 2
    It will also depend on whether the attacker finds/knows about every log. – Dan Henderson Oct 27 '15 at 15:00
  • @DanHenderson but how do you know the difference between an unfound log and a planted false log? – JamesRyan Nov 03 '15 at 10:56
  • Because you need a way to ensure that logs can't be tampered with (or at least require collusion in order to do so). The best way to achieve this is to either write logs to write-once medium (in *nix systems you can mount a drive as 'append only') or write to a secure, centralised log server. – David Scholefield Nov 03 '15 at 12:12
  • @JamesRyan a found, falsified log will agree with the other found, falsified logs. An unfound log will contradict the falsified logs. – Dan Henderson Nov 03 '15 at 17:06
5

I haven't seen this mentioned yet and it is likley a major resource for such an investigation, especially one revolving around data access:

RDBMS auditing can be a major resource for determining exactly what data has been accessed, when, and by whom. This of course depends on how, or if, it has been configured.

For example, SQL Server Audit allows retrieval of user IDs, time stamps, and the actual queries submitted to the server thus allowing complete re-construction of the data set stolen.

The audit systems should have redundancies built in to prevent tampering with the audit trail. Some of this may be stored in the RDBMS, and some may be written to external sources. SQL Server can log audits to the Windows Security log.

Dave
  • 442
  • 3
  • 13
4

gowenfawr mentioned system forensics but identifying the compromised asset is almost always done via logs. Logs /should/ always indicate the compromised asset if you search hard enough. Whether you have an IDS that detects external logins/bruteforce attempts/SQL injection attempts or if you manually search logs for what I just mentioned, there are several ways to bring a breach to your attention.

Once the asset has been identified, you can begin forensic examination of the asset. Mostly for additional information that logs may not report, especially if it looks like a file has been dropped to maintain access for the attacker. Memory scraping and analyzing what the dropped file does, step-by-step, will help the security team/IR team to gain an understanding of what's going on, how the compromise initially occurred, the vulnerability utilized and potentially the source of the attack (the real source).

Sevaara
  • 181
  • 2
  • 8
3

They can check several things that I can mention randomly:

  • Syslog
  • Firewall's logs
  • Logs of IDS and router(s)
  • File system
  • Events
  • Scheduled tasks
1

If someone broke into your house using a stolen key, and did not steal anything, how would you know? Often, you would. Think about how the ways in which you'd detect the occurrence. It could be as silly as a letter open on your kitchen worktop that you don't remember getting around to reading. There is basically no distinction here. It helps if you find scratch marks on your lock from the first ten entry attempts before the burglar finally determined which key was actually yours (read: security logs).

Lightness Races in Orbit
  • 2,173
  • 2
  • 14
  • 15
  • 1
    what are you talking about? –  Oct 28 '15 at 10:37
  • 5
    @Begueradj: It's a pretty clear analogy. With which part of it are you having trouble? – Lightness Races in Orbit Oct 28 '15 at 10:42
  • for example the kitchen part. We are talking about forensics. May be you did not understand the question? –  Oct 28 '15 at 10:43
  • 2
    @Begueradj: I understood it perfectly, thank you very much. Forensics may be modelled to the layperson as analogous the way a homeowner examines his or her property for signs of damage/loss that may not be outwardly evident without such activity. The OP was ostensibly only considering the case where the sofa and TV are missing and therefore could not think how more subtle forms of theft/infiltration could be detected. That led to this question being posted and, ultimately, this answer. Let me know if you have any more questions. – Lightness Races in Orbit Oct 28 '15 at 11:00
  • 1
    "Analogy" creates a relationship between 2 ideas. This is not an analogy - it is ellipsis. – schroeder Oct 28 '15 at 15:11
  • 3
    @schroeder: No, it is an analogy. – Lightness Races in Orbit Oct 28 '15 at 16:12
  • 1
    @Begueradj: The question does not require a forensics answers, and by my experience (ranging 3 man shops as well as "industry leaders"), forensics is typically a term that nobody in the company has ever heard of, except they are CSI fans. – phresnel Oct 29 '15 at 10:24
  • 2
    @schroeder I've never read _ellipsis_ used in any sense even remotely like this, and my search doesn't find any related definitions. It would've helped to include a citation for those of us whose English is apparently lacking. – underscore_d Oct 31 '15 at 10:48
1

In terms of what has been taken, rather than how, bigger enterprises and agencies utilise deep packet inspection to record what has been transferred in/out of their network.

Devices record all traffic and can utilise IDS for alerting. After an incident occurs they can analyse the magnitude of the attack.

Some common industry standard tools for this are:

Petah
  • 119
  • 5
1

In the case of Talk Talk, we know that the stolen data is being used to target people.

  • We know these people are being phoned up by someone claiming to be from Talk Talk and then tricked into providing their bank details.
  • We know that bank details stop being useful after a short time if it is know then have been hacked.
  • We therefore know that hacked bank details would be used QUICKLY if taken from TalkTalk.
  • Therefore it is reasonable to assume that the bank details were not in the data that have been taken.

There is a LOT of monitoring going to by the UK banks etc to see what the impact is, this monitoring will pick up enough cases, along with reported cases by bank customers, to give a good ideal of the impact by now.

Ian Ringrose
  • 641
  • 1
  • 4
  • 9