Solved

Data migration project

Posted on 2013-02-06
4
382 Views
Last Modified: 2013-11-22
I have been tasked with migrating data from one network into another. The former network has been riddled with successful attacks. The data must undergo a quarantine process but I am not sure what the best strategy might be.

As of right now an aresenal of antivirus software seems to be the best alternative along with OS independent transfer using a "dumb" box. I was wondering if someone has a suggestion to minimize the risk of transfering a potentially corrupted data into the new network.
0
Comment
Question by:paulycrackerhead
  • 2
  • 2
4 Comments
 
LVL 5

Expert Comment

by:wshty
ID: 38860089
how much data are we talking about?

if it's less than 2 Tb i'd suggest to copy it on an external drive and scan it with all sorts of live cds and malwarescanners / cloud scanners
connect it to a pc which is separated from the LAN/Intranet (but has access to the internet)

regards
0
 

Author Comment

by:paulycrackerhead
ID: 38864373
It should be no more than 5 tb's at most, if not less than 3Tb. We are making sure that the process is air gapped and the current solution is to run them through all sorts of malwares. What I am seeking is a specific strategic; a way to statistically eliminate any possibility of corrupted data passing by us (i.e. botnet, zero day threats). Is there any publication that you can refer me to that show the best theoretical way or an historical incident that has been quarantined successfully using a specific process.

Or am I being too paranoid and an arsenal of antivirus software is in fact the best option?
0
 
LVL 5

Accepted Solution

by:
wshty earned 500 total points
ID: 38867206
Hi,

well if you want to absolutely make sure that no data is being passed by the scanner - delete all data and start over (this is the most effective process ever known ;-)

yes of course this is a joke and by no means any option for you.

i am no anti malware expert to say this at first but then again i'd be working for an AV company instead of posting here :-)

there is absolutely NO guaranteed success in this - even if you scan the data with 20+ anti malware scanners.
the malware could still reside on the drive and not be detected.
there is enough malware out there which is currently is not being detected by any scanner.
BUT it still is the best way to get rid of it short of starting over or recovering from backup (a recovery point where you can definitely say that data from this backup is not corrupted, which you may very well not know).

zero day threats which may have corrupted your data now are no zero day threats anymore so the possibility that AV companies release new AV patterns for this is very probable.

so, if you want to migrate the data i suppose that you set up a new server(or comparative) which is in a completely separated network for this.

in most cases that means the following:
copying all necessary data to an external drive (or sth.) separates it from the OS meaning that the data on the ext. drive is simply data which may contain harmful software but there is no OS that could be utilized by it.

if you then boot a standard pc (or server) with a live cd (see this link for a list of AV Live-CDs: http://www.livecdlist.com/purpose/windows-antivirus )
the potentially infected drive has no means to "jump" over to the new pc (autoplay, index, etc..).

if you want to keep your data you have either this option or recover your data from backup.

there is no real best practice for this kind of situation.
or at least i don't know of any.
it is either scan the hell out of that data or jeopardize the datas' integritiy
and when it comes to infected data you can never be too paranoid.
and being paranoid means that you do not trust the OS the data resides on unless it is a live cd :-)

p.s.:
speaking of paranoid: did you already check (CHECK!) the client pcs for malware, since they connect to the server?
a very essential piece to mind if you want to rid your network of malware

regards
0
 

Author Comment

by:paulycrackerhead
ID: 38867987
Thank you for the detailed suggestions. These are methodolgies that we have planned and in place already. The quarantine process will involve OS independent transfer using a dumb box and 3 servers are involved that are dedicated specifically just for the process. Everything is air gapped so no network will come in contact with each other at any point in time.

The major issue is how do we set up a new network and still allow the client access to their old data on their new drive when the data comes from an old network ridden with custom build malware hidden in pdf files and God knows what else. Its a mess, but I guess from the last two suggestions all we can do is put it through a random AV wash cycle, make it OS independent and dump it in the new network and hope for the best. thanks guys!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Read about achieving the basic levels of HRIS security in the workplace.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now