Reminder for Incident Responders

I found this post [Dailydave] How to pull a dinosaur out of a hat in 2010 by Dave Aitel to contain two warnings for incident responders:

I do know that reliably owning Wireshark on Windows 7 is priceless.

and

So many otherwise very cautious people don't realize that RDP is like giving your passwords away to the remote machine. So we had to write a trojan that stole the passwords as people RDP'd in and we installed it for demos on various client sites.


The first is a reminder that intruders sometimes practice counter-forensics, i.e., attacking defensive tools. In fact, the post I just linked from 2007 mentions Wireshark vulnerabilities. Some things never change.

The second is a reminder that gaining remote access to suspected intrusion victims is a risky gambit. If you suspect a system is compromised, and you connect to it, expect trouble. This applies across the spectrum of intruders, from mindless malware to advanced persistent threat. Your best bet is to gather as much evidence as possible without ever touching the victim, if possible. Since you can't trust the victim to report in a trustworthy manner anyway, this has always been sound advice.

As a bonus, Dave throws in the following:

My favourite latest is the NGINX remote exploit which works even when you don't expect it to!

This reminds me that many intruders use Nginx to host their Web-based C2 servers. If you want to practice aggressive incident response, you may consider attacking that infrastructure yourself. Intruders tend not to be the best defenders.