If you are looking to learn about how to investigate malware, chances are you’re already infected and under the gun to uncover the source and clean up the mess. Here are a few things to consider before you dig in.
- Do you have a time stamp of when the event took place? Do you know what end system(s) are involved? Answers to these questions are important because many times we can look for applications on the machine that were installed just prior to the event. To learn how to run a search like this on an end system, read this post on Cyber Attack Incident Response
- As the post above points out, usually it is best to observe behaviors before trying to cleanse the system. Rather than unplugging the box from the network, sometimes it is best to remove the end user. How does the machine behave when no one is using it? What addresses does it reach out to? You may need to shut down applications like Skype, Outlook, web browsers, RSS feeds, etc. Also check auto start and shut down those applications as well. Then it is time to observe two things: processes and traffic.
- Process Monitoring: a good application performance monitoring solution can gather system details and trend them over long periods of time
- Traffic Monitoring: We may also want to monitor the traffic generated by the above processes. Strange communication behaviors (e.g. sending data to an Internet host) could be a tell tale sign of an infection in disguise as a legitimate app. Watching who an infected machine communicates with may provide additional insight into other machines that might be infected with similar malware.
- When it is all over, document the incident. How it was reported, investigated and certainly the steps to successful extraction. Steps the company can take to avoid a similar incident in the future should be outlined.
All of the above are great if you have the infected system in your clutches but, what if you only have an IP address? How do you find the system? Answer: Make sure you are collecting flow data. This video on How to investigate Malware should provide you with some insight.
Ideally, you found this post because you are looking to become proactive as most security professionals agree that as sure as shoplifters will continue visiting department stores, malware will repeatedly make it onto your network.
When a firewall, IDS, router, or mail server reports an abnormal behavior from a specific host, your incident response system provides the context on the event and allows the security team to answer questions such as:
- Where did the event take place?
- When did the incident first begin?
- What is the host’s behavior profile?
- Which specific user was involved?
- Why wasn’t this issue reported by my IDS/IPS?
- Were multiple devices compromised?
Make sure your security team can rely on the incident response system for fast answers to these questions.