You know that your company is carrying infections that your threat detection systems haven’t unearthed. Malware is sitting on a host in some corner of the network waiting for the time when it has to check in again with the Command and Control (C&C) server out on the internet. If instructions are given, it will make a move and if you are able to spot the incident, what will you do as part of your cyber attack incident response? Here are 4 of our focuses when following up on a cyber-threat incident.
Containment: Are you ready to run over and unplug that infected computer from the local network? Not so fast! Cutting off the malware’s ability to phone home can be an unwise course of action. Why? Because some infections are programmed to assume they have been discovered if they can’t get to the Internet and will lay dormant for weeks before making another attempt. Rather than flipping the power switch, sometimes it is more important is to monitor who the sick computer is communicating with internally as this could lead to identifying other in house computers that are also infected. If you want to clean up the contagion quickly, the best first move is to form a course of action. For example, remove the user from the computer and perhaps shut down all running applications that could be phoning home (e.g. Skype, iTunes, web browser). This should dramatically reduce traffic to and from the computer. Now it’s time to monitor and follow up. Who does the machine communicate with all on it’s own. Do you see any Microsoft-DS (TCP 445) traffic. Does it look normal? In other words, use flow data to determine if connections are just occasional “are you there” connections or do you see what looks like a significant amount of data being transferred to or from other machines?
Follow these traffic trends back for a couple weeks in an attempt to identify other machines the infected host could be receiving data from or sending data to. Most security professionals find that flow data such as NetFlow and IPFIX can offer up this type of historical information without being as verbose as packet capture.
Root Cause: It’s time to dig in. How and when did the infection initiate? How do you figure out where to look? These are both great questions. To do this, I suggest going back to when you first discovered the malware and take a look at the time stamp. Flow trends that indicate when the data transfer took place can be a great place to start. Loaded with the time frame, we like to run something called WinPrefetchView on the infected PC. You can sort by time stamp and look for applications that were installed at or just before the time of the traffic event. It also displays the last time the application ran.
The above utility is great for trying to match up when the event occurred with flow data which displays when the application created traffic. Once we isolate the executable, how do we ascertain how it got there? It could have been email. Checking what messages where received at the time of the incident is easy enough. It could also have occurred when a web page was visited. To check this, we need the browser history. Almost all browsers provide this.
Now that we know which infected email message caused the infection, we can check the mail server logs to see who else received the same message. If it was a web page, we can view the proxy log or the flow history if URL data is being exported. Make sure you are saving this data before you need it!
Here are some other web sites for finding great investigative utilities:
- Digital Detective – Free Tools
- Forensic Control Free Computer Forensic Tools
- Mandiant Free Software
- RedWolf Computer Forensics
Malware Analysis: What was the intent of the malware? Is it using a key logger to harvest passwords? If it is connecting to internal servers, is it grabbing certain files and then exfiltrating them out to a host on the Internet? Run flow reports to find out.
What files were they, what did they contain and are they of concern to your customers? A lot of time can be invested here and the answers can help lead to insight as to how the malware moved around the network. Once all of the end systems are identified, we can take them off line, clean them and reintroduce them onto the network.
Strengthen Defenses: After all the research, you should know how the malware got in, what the traffic looked like and what it was after. Ask yourself how your team can use this information to strengthen the corporate defenses against a potential reoccurring attack.
Educating end users is often a good first step. On the technical side, monitoring for the unique behavior should also be configured. A good incident response system that leverages flow data allows for this. Give our team a holler to learn more.