[Dshield] Remote incident handling tool
peteoutside at yahoo.com
Mon Nov 28 19:13:53 GMT 2005
For a while now where I work we have been kicking around an idea which might pay off in spades if we can get it to work properly.
For starters, let me just say that we don't have the time or resources to send a team out every time a customer gets rooted. Ideally we would send four people out there, image the compromised box, pull down all the router/firewall/system logs, map the network, run nessus against everything, and leave a honeypot and/or sniffer for a while to see if the bad guy comes back. These data are valuable but we just don't have the personnel to get them, and if we rely on on-site IT department to handle it for us they mess it up somehow 100% of the time (not a knock on them, their expertise just lies in other areas).
So, we came up with this solution. Hopefully you folks can help us tear this down and build it into something worthwhile. I'm looking for pointers on the overall schema as well as technical criticism, so have at it.
What we're going to do is create a Linux LiveCD containing all the tools we want (snort, nessus, cheops-ng, etc.) in an ISO. The on-site IT guys download it from our website, burn it to a CD, pull out a spare box and boot from the CD. Now, this CD will have some capability to where we can remotely administer it--so we will be able to tunnel into their network and perform our scans, capture packets, get a network map, gather logs, and so forth. Data could be stored on the box's hard drive for later retrieval, stored temporarily and pulled back across the net, or pushed to a waiting server on our end at regular intervals. Our connection to the remote box would have to be secure (SSH or a VPN or something). When the incident is mitigated, then the remote site pulls out the CD and unplugs the box.
We would need to set it up so that while the ISO was readily available, not just anyone could use it (or at least, not to exchange information with the "home base" network). I'm thinking some application of public key encryption, or a secure one-time key generated for each incident.
Does this sound technically feasible? What are the obstacles to overcome that you can forsee? What Linux distro do you think we should base it on? What tools should we include?
Thanks in advance for all input.
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
More information about the list