Search:
Advanced search
|
Leaked Address ProcedureArticle ID: 163
Last updated: 16 Apr, 2015
DetailsThis is the procedure to follow in case of crisis. Requirements/Conditions/Restraints
InstructionsPlease, follow these steps: 1. [VT] analyze the sample and extract the following information:
2. [VT] send the information via email to SUPPORT with subject "<client name> Leaked address"; 3. [SUPPORT] check if the address is provided by us, and if so shutdown and disable the anonymizer services on the vps; 4. [SUPPORT] send a ticket (department: Security) to client using the "Leaked address (provided by us)" or "Leaked address (not provided by us)" macro, filling in the address parameter accordingly; 5. [SUPPORT] upon client confirmation, forward the email received by VT to FAE including the ticket ID and if the address are provided by us or not; 6. [FAE] contact the client in order to plan a remote session or an assisted session; 7. [FAE] follow these steps one by one, ensuring it is done properly: a. close (do not delete) the factory received via email; b. analyze any instance of that factory in order to understand if it is a real target or not; c. close any instance that seems suspect (if unsure, it's better to close); d. export the latest DEVICE evidence from each suspect instance and send them to SUPPORT; e. check if some legit instance of any factory uses the compromised address and must be recovered (if not, skip to point i); f. turn on the collector (and possibly the vps) and check that the anonymizers are running correctly; g. for each instance, change the configuration in order to use another anonymizer for synchronization; h. wait until new configurations are activated and the instances can send data through the other anonymizer; i. delete the compromised anonymizer from the chain; j. add a new anonymizer into the chain (ask to SUPPORT if you need a new vps); k. download and install the anonymizer proxy on the new vps; l. if still down, turn on the collector and check that the anonymizers are running correctly; m. apply the network topology; n. if needed, change the configuration of the instances in order to use the new anonymizer; o. check that everything is working correctly. 8. [FAE] update the KBC marking as "compromised/removed" the old vps and adding the new vps information, along with any other client's related data; 9. [FAE] send an email to SUPPORT with a status update; 10. [SUPPORT] if vps is provided by us, reinstall the operating system, ask the provider to dismiss the vps and update internal documentation; 11. [SUPPORT] update the client via ticket confirming that the procedure has completed correctly. !!! ⇒ Remember that this procedure follows two main flows: the first one, via email, is for internal purpose; the second one, via ticket, is for the client.
|