Brett /
MMPPCAP2015-08-03 Post Potential Compromise Action Plan AWS Root Credentials Change all AWS account root credentials Use a secure, 20 character password, stored on paper only Configure 2Factor Auth, using On Call Phone and Google Authenticator (need to ensure we have a plan, procedure, or backup in case of loss of on-call phone) User Credentials Remove all user credentials from all accounts Set all user login profiles to change password on next login Use iambic to recreate and send out credentials Build Credentials Create a new certificate for building instances Configure build process to remove these credentials after completion Infrastructure Do a full rebuild of all machine without local data Do a full rebuild and restore of all machine with local data Office hosts Network: 192.168.19.0/24 10.12.0.0/14 Firewall Re-implement IDS/IPS detection on office firewall VPN Retire "legacy" firewall Invalidate all certs for Legacy (Commander/Intervolve) Network: 192.168.7.0/24 192.168.4.0/24 192.168.9.0/24 Platform2014 Network: 10.16.0.0/14 Auditing Credentials for Fortigate, some management consoles, and other infrastructure (switches?) is stored in KeePass. Fortigate Logins reported in syslog on log.inf.mel.mmd for past 30 days: Fortigate login records No particularly suspicious activity, but without individual accounts or change records it's difficult to determine. These are the only external accesses. There was no direct access between legacy and the Platform2014 Fortigate available. syslog timestamp fortigate timestamp unit username source status May 14 16:15:21 2015-05-14 16:15:20 FG1 atechsupport https(175.45.119.98) success May 18 09:04:29 2015-05-18 09:04:29 FG1 atechsupport https(175.45.119.98) success May 20 14:35:39 2015-05-20 14:35:39 FG1 atechsupport https(175.45.119.98) success Jun 1 11:06:59 2015-06-01 11:06:59 FG1 atechsupport https(175.45.119.98) success Jun 1 11:19:58 2015-06-01 11:19:58 FG1 atechsupport ssh(175.45.119.98) success Jun 4 08:59:39 2015-06-04 08:59:39 FG1 atechsupport https(175.45.119.98) success Jun 10 11:11:47 2015-06-10 11:11:47 FG1 atechsupport https(175.45.119.98) success Jun 11 10:28:11 2015-06-11 10:28:11 FG1 atechsupport ssh(175.45.119.98) success Jun 11 10:33:03 2015-06-11 10:33:03 FG1 atechsupport https(175.45.119.98) success Jun 11 15:33:16 2015-06-11 15:33:15 FG1 atechsupport ssh(175.45.119.98) success Jun 29 10:10:12 2015-06-29 10:10:11 FG2 atechsupport https(175.45.119.98) success Jul 14 10:34:15 2015-07-14 10:34:14 FG2 atechsupport https(175.45.119.98) success Jul 14 10:54:32 2015-07-14 10:54:32 FG2 atechsupport ssh(175.45.119.98) success Recommend: Create individual accounts for better auditing Record changes for accounting Change credentials on a regular basis General Network Port scan (nmap) of perimeter Port scan of internal hosts: Inside office hosts Investigate: http://www.tenable.com/ (Nessus vulnerability scanner SaaS)—they actually distribute Nessus in all forms... Internal vuln scanning: OpenVAS? (Seemed painful to setup at last glance) Host Are there any decent rootkit scanners? Some candidates are listed at http://sectools.org/tag/rootkit-detectors/: chkrootkit (http://www.chkrootkit.org); and rkhunter (http://rkhunter.sourceforge.net) chkrootkit has the most recently update, but it's still over a year old. Suggest running both, latest versions. -- I wouldn't recommend these on running compromised system. Rather it'd be best to grab the disks from the systems and attach them to fresh vanilla build system and investigate on it. There are some distros out there that come with all the tools you need like http://sleuthkit.org/ www.deftlinux.net |