Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Sunday, March 10, 2013

Does your Incident Response Plan include “The Dark Side of the Internet”?

Integral to this effort is the process of each client learning from the incident and updating their security incident response plans accordingly. One thing that you generally don’t yet find in most such plans is crossing over to the “dark” side of the internet – but moving forward I think it’s likely you may.

Several weeks prior their client-facing website/application had been “hijacked” and was redirecting clients from certain geographic regions to an overseas site. ...  Best guess would be a drive-by malware site, although the geographic discrimination is an unusual twist that would have been interesting to understand.  In order to ensure that any traces of the compromise were eradicated, the client rebuilt the site at a different hoisting provider on a fresh Content Management System (CMS) install with updated modules/templates. That being said, we had several good data points: an overseas IP address attempting to hit the admin page of the app and the fact that the hacker had signed his website defacement.

One thing many people don’t know about TOR is that it can also be used to connect to “hidden services” on the internet – sometimes referred to as the “darknet”. ...  It’s not for the faint of heart – and despite the “anonymity” that is provided by TOR, you still find yourself looking over your shoulder when you’re on it.

Part of our client’s continuous improvement process is adding TOR/darknet knowledge to their Computer Security Incident Response Team (CSIRT).  Hopefully, they won’t have to exercise the plan anytime soon – but if they have a security incident to respond to their Incident Response Plan now includes a trip to the dark side.


Posted on 03/10