7 Lessons: Surviving A Zero-Day Attack

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/news/security/attacks/231601692

By John Foley
InformationWeek
September 19, 2011

When Pacific Northwest National Laboratory detected a cyber attack -- 
actually two of them -- against its tech infrastructure in July, the lab 
acted quickly to root out the exploits and secure its network. PNNL then 
did something few other cyber attack victims have been willing to do. It 
decided to talk openly about what happened.

The lab's CIO, Jerry Johnson, last week provided a detailed accounting 
of the cyber attacks. Speaking at the IW500 Conference in Dana Point, 
Calif., Johnson described how intruders took advantage of a 
vulnerability in one of the lab's public-facing web servers to plant a 
"drive-by" exploit on the PCs of site visitors, lab employees among 
them. For weeks, the hackers then surreptitiously scouted PNNL's network 
from the compromised workstations.

Simultaneously, a spear-phishing attack hit one of the lab's major 
business partners, with which it shared network resources. This second 
group of hackers was able to obtain a privileged account and compromise 
a root domain controller that was shared by the lab and its partner. 
When the intruders tried to recreate and elevate account privileges, 
this action triggered an alarm, alerting the lab's cybersecurity team.

Within hours, the lab made the decision to disconnect its network in 
order to sever the hackers' communications paths and contain any further 
damage. Over the July 4 weekend, while the rest of us were grilling 
burgers, PNNL's security team conducted cyber forensics, reconstructed 
the domain controller, re-imaged systems, and restored network services 
that had been taken off line.

[...]


_____________________________________________________________
Register now for the #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/