Lessons Learned from MS07-017

Published: 2007-04-27
Last Updated: 2007-04-27 21:04:28 UTC
by Kevin Liston (Version: 1)
0 comment(s)
Wolfgang, a reader, submitted this link (http://blogs.msdn.com/sdl/archive/2007/04/26/lessons-learned-from-the-animated-cursor-security-bug.aspx) to an MSDN Blog article analyzing their lessons learned from the recent ANI Vulnerability. This reminded me that it’s almost time to perform a similar analysis on my own environment.

Lessons-Learned, or follow-up is the last step in incident response. It also happens to be the most neglected step.

Hopefully, the MS07-017 patch has been safely deployed through most of your environment by now. I know not everyone has by now, and I feel your pain. For those who have, take a few moments to reflect on the event and recall how your environment performed in the early-pre-patch stages and how smoothly the transition to a post-patch state went.

  • Did you have compromises?
  • Did your AV detect the attacks with generic malicious-ANI or MS05-053 signatures?
  • Did your IDS detect the attacks with existing signatures?
  • Were you able to protect your unpatched users with content filtering?

Once you have gathered some of the data from the overall event, ask yourself:

  • “How could this have gone better?”
  • “Are there reasonable changes we could have made to the environment or policy to avoid impact?”
  • “Were the losses acceptable?”
Take these answers and develop a response plan.

At the day-job we needed to tighten the detection and analysis cycle for all of the new malware that was using this vector to get into our network. This means that I’ll probably have an easier time justifying that Sandnet (http://www.lurhq.com/truman/) we’ve been planning to build. We also need to look at the amount of time it takes to block malicious URLs in our response process. We also may want to consider a different content-filtering solution.
0 comment(s)


Diary Archives