The present exemplary embodiments relate to network security and, more particularly, relate to the cloning of a compromised machine to a controlled environment.
Hacking, defacement and other forms of computer intrusion remain significant threats to enterprises, small businesses and governments. Current approaches typically address the issue by detecting and alerting access or by detecting and blocking such access. For example, a firewall or Intrusion Prevention System (IPS) may monitor the flow of traffic into a given server and block any attempts that appear to be made with the intent of gaining unauthorized access, such as via SQL injection or similar.
The drawbacks of these solutions are at least twofold. First, often the compromises involve new or as yet unknown attack vectors—so-called “zero day” vulnerabilities—and by blocking a request, the opportunity to better understand the attack vector and the technique cannot be taken advantage of. Further, by blocking the request, the ability to build future defenses is reduced as often the attack is blocked but the preceding events and future events are not known and these may expose other vulnerabilities.
Second, when an attack is blocked, it is very difficult to trace and identify the intruder as their connection to the server is ephemeral. Difficulty in tracing and identifying the culprits is not in the interests of the company and also not in the broader interests of the community as the attackers may go on to carry out other attacks.
On the other hand, prolonging the access that the intruder has to the compromised machine in order to allow time for them to be traced can extend the risk that the company is exposed.
Accordingly, a balance needs to be found between blocking access by the intruder and allowing the intruder prolonged access to the compromised machine.