Operation clean sweep: How to disinfect a compromised network

You can't remove every bad scrap, but due diligence can go a long way toward yielding a clean, reliable network

You either know your network is compromised or you're unaware your network is compromised. As far as I can determine, that's only a slight exaggeration. In the last seven years that I've concentrated on hacked networks -- most of which have been hit by advanced persistent threats -- I'm aware of only one company that has not been thoroughly and pervasively compromised.

Security professionals need to start by assuming their defenses have already been breached. It's hard to admit, but truth is always better than ignorance. It's like being mayor of a city and admitting that you probably have some crime despite a well-trained and appropriately funded police force. Crime happens. It's even in the Bible.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

Once people reach the acceptance phase, they typically ask me this question: How can a company conduct a "clean sweep" to detect badness, root it out, and start over with a known clean environment?

The short answer: You can't. Well, you can, but to get a very high level of assurance would be very expensive and, in the end, probably not worth the money, time, and effort. It takes talent and time to gain a high level of confidence that you don't have any compromised computers requires exacting, high-detailed computer forensics.

Project superscrub

Most companies don't have images of the known, clean states of all their computers. If they did, they could do a quick comparison between clean images and current images. Even then, you'd have to sift through hundreds or thousands of little differences, from temporary files to legitimate updates to log files to any tiny object that changes during the normal course of business.

And without known, clean images? Forensic examiners must painstakingly review each computer and rule out thousands upon thousands of irregularities. The fastest I've seen any company turn this around is in about 24 hours for one computer. So if you want to do a clean sweep of your network with a high level of assurance, plug that into your resource calculator: 24 hours per computer per forensic investigator. Now you know why most companies don' t have the time or money.

Worse, determining if a particular computer is clean at a particular point in time doesn't prevent it from getting compromised immediately after. I've been involved in a few greenfield efforts, and most of the time those brand-new, clean environments end up compromised just like the old, legacy environments did. Why? Because the defenders didn't spend enough time ensuring that the old successful threats wouldn't be just as successful in the new environment. Simply moving users to new, clean computers doesn't mean they won't fall victim to the same old spearphishing attack.

Instead of striving for spic-and-span perfection, if you're determined to do a mop-up operation, I recommend a "limited assurance" clean sweep. This gives you reasonable assurance that your network is fairly clean and not completely owned by badness.

In a limited assurance audit, you select a sampling of computers in each role (such as file server, database server, Web server, client workstation, client laptop) to give you confidence over the whole population.

1 2 Page
Join the discussion
Be the first to comment on this article. Our Commenting Policies