Lesson 1, Topic 15
Malware Detected on Endpoint
- Review the relevant events in SEIM and collect the following information:
a) IP address and Hostname of the infected machine
b) Any additional information about the infected machine (asset name, criticality, owner, etc.)
c) The username that is associated with the malware (if applicable)
d) Malware name, file name and hash code
e) Action (clean, quarantine or delete)
f) Infection method if available in the logs (drive-by downloads, email attachments, external drives, etc.)
- Search the malware name, file name or hash code to identify the malware type:
a) Adware: It displays adds on the computer and is the least type of malware
b) Spyware: It spies on your user’s activity without their knowledge. This includes by not limited to Internet browsing activity, collecting keystrokes, data harvesting (account information, logins, financial data).
c) Virus: A virus is a malicious program or code that attaches itself to another piece of software, and then reproduces itself when that software is run. Viruses can be used to steal information, create botnets, steal money, render advertisements, and more.
d) Worm: It is one of the most common types of malware that can be classified as a type of virus with one major difference. Worms can self-replicate and spread independently while viruses rely on human activity to spread (running a program, opening a file, etc.). They often spread by sending mass emails with infected attachments to users’ contacts.
e) Trojan: It is the most dangerous type of malware that disguises itself as a normal file or program to trick users into downloading and installing malware. A Trojan can give a malicious party remote access to an infected computer.
f) Rootkit: It is a type of malicious software designed to remotely access or control a computer without being detected by users or security programs. Rootkit is the hardest of all Malware to detect and therefore to remove. It is recommended to completely wipe out the hard drive and reinstall everything from scratch to remove rootkis.
g) Backdoors: Backdoors are specific types of trojans or worms that are designed to open a backdoor on the computer to give the hackers full remote access to the system.
h) Keyloggers: Records everything the users type to steal log-in names, passwords, and other sensitive information
i) Ransomware: It is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by encrypting the users’ files unless a ransom is paid.
NOTE: It is the recommended to search the following websites to get more information about the malware and level of risk:
- Search for any possible related incident in the ticketing system or the SIEM solution
a) Name of malware
b) Search for the hash code of the binary files
c) Hostname and IP address of the infected machine
In case of finding relevant incidents, create a master incident ticket and link all the existing tickets with the master ticket
- Categorize the incident as malicious code and assign the incident to the appropriate team based on the document “SOC Tier 1 – Security Threat Monitoring Process/Procedure”.
NOTE: Below is the list of available options for the incident types:
Web Application Attack
Unauthorized System Activity
Unauthorized Network Activity
Suspicious System Activity
Suspicious Network Activity
Probes and Scans
Denial of Service
Communication with Malicious Network
- Evaluate the user and analyze the events and network traffic if available:
a) Investigate the attacker source IP address and hostname using the available information sources (X-Force Exchange, IP Void, etc.) to see if it is/has been associated with malicious/unauthorized activity. (Please be careful not to go directly to any sites thought to be malicious)
a. Where is the data coming from and where is it going?
b. Is it associated with known malicious activity or indicators of compromise (e.g., malware, malicious IPs/domains, etc.)?
c. What type of site/IP/hostname is it? Is it an official affiliated vendor, group, association, etc?
d. Does it appear to be a legitimate site/IP/hostname?
e. Are there professional relationships in place? Are they in the same division or industry?
b) Check internal references for authorized exceptions (e.g., CMDB Tool, CSIRT team)
c) Search the SIEM solution for the questionable IP addresses, hostnames, URLs, Users and other indicators of the compromise and look for the patterns that are related to any of the steps in the cyber kill chain:
a. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
b. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
c. Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
d. Exploitation: Malware weapon’s program code triggers, which takes action on target network to exploit vulnerability.
e. Installation: Malware weapon installs access point (e.g., “backdoor”) usable by intruder.
f. Command and Control: Malware enables intruder to have “hands on the keyboard” persistent access to target network.
g. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.
- Collect as much information as possible about the malware:
a) Services and processes that are used by the malware
b) Ports and network protocols that are used by the malware (Firewall logs or packet sniffing tools can be used if no information is publicly available)
c) Vulnerabilities that are exploited (e.g., software flaws, misconfigurations, social engineering)
d) Malicious filenames, sizes, content, and other metadata (e.g., email subjects, web URLs)
e) Which versions of operating systems, devices, applications, etc., may be affected
f) How the malware affects the infected host, including the names and locations of affected files, altered configuration settings, installed backdoor ports, etc.
g) How the malware propagates and how to approach containment
h) How to remove the malware from the host
- Identify if the malware is propagating
a. If multiple tickets or multiple assets involved with the same category of malware, locate all infected assets and determine risk and impact
b. Verify if those assets are behaving similar way (e.g., sending emails, scanning other hosts)
If so, follow instructions in Containment section to stop the malware propagation
c. If a malware sample is obtained do the following:
i. Run the malware sample through the Malware Analysis Tool ( i.e. FireEye)
ii. Perform an Antivirus Health Check on infected host as per procedures below
- Verify current threat events and validate AV for detection/remediation
- Verify Classification
- Notify management as per escalation procedures below
- Prioritize the incidents based on the instructions provided in the document “Security Incident Management Process”.
- Identify the severity of the incident based on the following scenarios, and assign the incident to the appropriate team based on the document “SOC Tier 2 – Security Incident Triage Process/Procedure”
Any type of malware that is detected on workstations and mitigated automatically by the end-point protection system or any other security products
Any type of malware that is detected on workstations and NOT mitigated automatically by the end-point protection system or any other security products
Any type of malware that is detected on servers and mitigated automatically by the end-point protection system or any other security products
Any type of malware that is detected on servers and NOT mitigated automatically by the end-point protection system or any other security products
Any type of malware that is detected on critical servers and mitigated automatically by the end-point protection system or any other security products
Any type of malware that is detected on critical servers and NOT mitigated automatically by the end-point protection system or any other security products
- For high priority incidents, consider taking forensics images from the memory and file system before taking any action to contain the malware.
a) Image of memory (sample tools: Volatility and Memorize)
b) Bit-by-bit image of the file system (sample tools: dd command, EnCase Forensic Imager)
- Consider possible short-term containment actions:
a) Terminate the malware processes: Some types of malware initiate processes that are visible and unique to that malware. Terminating these processes can be the easiest way to temporarily contain the malware. However, this method cannot be applied on all types of malware as some malware attach themselves to system processes that cannot be easily terminated and some types such as rootkits will hide themselves from the user and even the operating system.
b) Disable vulnerable services: Shutting down the vulnerable services is the best option to contain the malware without losing all services. This process can be done manually on a host or it can be applied to a large set of hosts using the system management tools such as Microsft SCCM or IBM Bigfix.
c) Prevent communication with command and control servers: Majority of malware types are designed to receive instructions from a remote command and control servers. Blocking the malware communication to any external host can be effective to contain the malware. Below are some recommended mechanisms to achieve this goal:
a. Apply filters to firewalls or router ACLs to block IP addresses that are associated with the malware
b. Apply filters to the proxy solution to block the URLs that are associated to the malware
d) Reroute network traffic: Critical servers that are implemented in high availability mode can be disconnected from the network by rerouting the traffic to the other servers. This can be done by setting static routes on firewalls and routers, or by modifying the policies on the load balancers to point the traffic to the other systems.
e) Disable network connectivity: In situations where the infected host can be completely taken offline, we can consider disabling the network connectivity using one of the following methods:
a. Disable the network card on the host
b. Disable the corresponding port on the switches
c. Apply a firewall or an ACL rule to drop all the communication to the infected hosts.
f) Shut down the server: In situations where the malware continues the harmful actions on the host in an isolated environment with no network activity, shutting down the server might be the last option to contain the malware.
- If malware is present, contain the malware immediately to prevent further collateral damage. This may mean revoking user accounts, blocking access at the firewall or updating antivirus rules to catch the malicious code.
- Consider possible long-term containment actions:
a) System patching: If the list of vulnerabilities that are exploited by the malware is available, the most effective long-term option to contain the malware is to apply the required patches to fix those vulnerabilities. It is recommended to leverage the system management solutions such as Microsoft SCCM or IBM Bigfix to apply the available patches on all vulnerable hosts instead of limiting it to only the infected machines.
b) Content filtering using anti-spam solutions: If the malware is leveraging the email attachments as the attack vector, the anti-spam software can be configured to block emails or email attachments that have certain characteristics, such as a known bad subject, sender, message text, or attachment name or type.
c) Content filtering using web proxy solutions: If the malware is leveraging the drive-by download method on specific web sites, the proxy solution can be configured to block any access to those malicious web sites.
d) Executable blacklisting: Some operating systems, host-based IPS products, and other technologies can restrict certain executables from being run. For example, administrators can enter the names of files that should not be executed. If antivirus signatures are not yet available for a new threat, it might be possible to configure a blacklisting technology to block the execution of the files that are part of the new threat.
e) Recover compromised accounts: If there is some evidence that shows the malware has compromised some accounts, the password of those accounts should be reset or the account should be deleted/disabled to prevent further damage.
- If the exfiltration was user initiated, fully document the case and escalate to CSIRT and HR/legal teams.
- Identify the attack vector and consider one of the following actions to protect the other assets:
a) If the Malware is downloaded from a website, pass the URL to the Infrastructure Security Admin team to consider blocking the URL on the proxy or IPS.
b) If the malware is downloaded from an email (attachment, URL), identify the associated email and pass the information to the Infrastructure Security Admin to consider blocking that email in the anti-spam products.
c) If the malware signature does not exist in the end-point protection system or IPS, share the malware information (name, files, binary, etc.) with the vendor of the end-point protection or IPS solutions.
d) If there is any evidence of Malware calling home, pass the URL/IP address to the Threat Intelligence team to consider blocking the IPs or URLs.
- Conduct further network and host forensics as required
- If there are any unauthorized changes on the protective technology by the internal users or admins, ensure all the user accounts that are associated with the person are disabled.
- If malware is still present, follow the steps below to completely remove the malware from the infected machines:
a) Back up the sensitive information on the infected machine
b) Disconnect system from the Internet
c) Boot in safe mode or with a live antivirus rescue disk
d) Try to identify the actual malware and search for fixes
e) Scan with multiple programs until no infections are found
f) Clean up temporary files and unused programs
g) Remove system restore points
- If the host has one of the following characteristics, consider wiping out the drive and rebuilding the system from scratch instead of performing typical eradication actions that are explained in the previous step:
a) One or more attackers gained administrator-level access to the host.
b) Unauthorized administrator-level access to the host was available to anyone through a backdoor, an unprotected share created by a worm, or other means.
c) System files were replaced by a Trojan horse, backdoor, rootkit, attacker tools, or other means.
d) The host is unstable or does not function properly after the malware has been eradicated by antivirus software or other programs or techniques. This indicates that either the malware has not been eradicated completely or that it has caused damage to important system or application files or settings.
e) There is doubt about the nature of and extent of the infection or any unauthorized access gained because of the infection.
- If the incident is left open for an extended period (e.g., 7+ days) Ensure at least one follow-up notification is sent and If they are still unresponsive, escalate to management for action
- Make sure the system meets company standards or baselines, before returning it to service
- Work with the Threat Intelligence team to refine existing rules or develop new signatures/rules to detect activity, as necessary.
- Look for attacker’s artifacts to come back:
a) Changes to configuration files and registry
b) Unusual processes
c) Account used by the attackers and simultaneous logins
- Put together a report detailing what happened, why it happened, what could have prevented it, and what you’ll be doing to prevent it from happening again.
- Meet with management to go over the report and get their approval for the changes needed to prevent similar incidents in the future.