I keep reading that the State Legislature in Albany is debating legalizing the right to die, assisted suicide.
That is heady stuff.
In your own network, there are some profound implications to "pulling the plug" on a server, workstation, or network device.
The question is why?
The other question is, what do you want to know about the why?
On almost everything in your network, if you turn it off or pull the plug to cut power to it, you will lose all the active logs in memory about what just occurred or is now occurring.
This is otherwise known as forensic information.
The support call comes in and says something like, "We have a network problem and see the switch is freaking out". We reset the switch, and everything is fine now. We want to know what happened.
In most circumstances, the answer is, "We don't know and can't tell you because the logs were destroyed in the reboot."
It is the ultimate chicken-and-egg scenario. You need network stability because hundreds, if not thousands, of users are affected, and we need active logs to determine what happened, which will not be available when you reboot.
You simply have to pick a side and live with the consequences of your decision.
Or you can do what NYS wants you to do anyway and implement a SYSLOG server to capture your critical switch and router logs as they occur. You then have the freedom to reboot your devices and view the historical information of what occurred.
In a hacking event, the decision is even more critical for all your devices, but especially your firewalls, servers, and workstations. The default reaction for most is to start turning devices off to "stop the spread." It definitely stops the spread, but you are losing potentially vital forensic data that might answer the critical questions of who, when, and where.
Again, a SYSLOG server is your friend in preserving a lot of important things, but if you are like most, you don't ship every log on every device to SYSLOG.
Hopefully, you are deploying a robust EDR solution, such as Acture's various SentinelOne Complete SOC offerings. A decent EDR product features a feature called "Host Isolation". It's the ultimate 'I am under attack' pause button. An EDR SOC, you or Acture can programmatically isolate the host from the network. This means we freeze and surround the identified bad actors on the specified servers and workstations. All their communication is lost. They cannot move. Their agents are cut off, and they are trapped. A quality EDR SOC maintains full access to the isolated servers and workstations. The devices remain on. The SOC can then capture all the logs for forensic analysis. The EDR SOC team can then mitigate the infection in any way that makes sense to protect the broader network.
Once the machine is deemed healthy, the device can be un-isolated and returned to service. Note: To my knowledge, no SOC team un-isolates hosts. They wait for the client to do that. It is a simple task.
If you don't have an EDR product that isolates hosts, you should change your protection strategy ASAP to a more effective product to protect yourself at this basic level.
If you don't have a quality EDR SOC to do this basic incident response in stopping, isolating, and killing the bad guys - even at 1 am, we seriously need to talk about fixing this for your own survival.
There are many high-quality vendors who offer very limited versions of their main offerings to chase price at the expense of robust functionality. When you are under attack, you need your security vendors to provide a robust defense against malicious actors. "Living off the land" attacks have dramatically changed the way we are attacked and the way we must defend against these attacks from even two or three years ago. If this is you, we need to reassess your security stack and ensure it is an adequate defense against these new, complex threats.
Being in the middle of a firefight in your network with the bad guys is not the time to realize that you bought something less than what you needed.
Acture Solutions can help with all of this. We want to keep you safe. Give us a call, and we'll determine what's right for your district.
Scott Quimby
Senior Technical Advisor, vCISO, CISSP
You must be logged in to post a comment.