Why Clean-up Hacking?
by Brent Kirkpatrick
(Date Published: 2/23/2018. Revised: 10/19/2018)
Hacker's do not always install machine code on the hard-drive of a computer while gaining access. Sometimes they gain run-time access to the memory, without installing anything on the hard-drive. In other cases, hackers are able to read the contents of the memory without even gaining run-time access. Clean-up also involves preventing these types of unauthorized access.
Clean-up is a graduated type of incident response. Typically, incident responders believe they are responding to a single intrusion by a single hacker. This is not the case with clean-up, where we assume there could be multiple intrusions.
One way to proceed with clean-up is to start with digital forensics. Many business people are interested in obtaining digital evidence of intrusion before they take steps to prevent the intrusion. However, digital forensics can take months of work, and it is irresponsible to let the hackers have access during the months that it takes to recover detailed evidence. Also, there are significant hacks that are not detectable with standard digital forensics approaches.
Detection, rather than digital forensics, typically drives clean-up. Detection is lite digital forensics. These methods look for strange activities on computers and networks. When a detection method alerts us to strange activities, then responsible administrators initiate clean-up procedures.
Clean-Up (TM). Incident response driven by data.