Just imagine, you are a security professional, you are sitting in your cubicle (or Corner Office, if you are lucky), quitting-time is only three minutes away on a Friday and you receive a call from your CISO:
The perimeter IDS just sent an alert to the Operations Center that we have a Malware C2 Connection from inside the corporate network. We have no threat intel to confirm if this IP is actually a C2 Server. We also saw some suspicious emails come in earlier, but the Email admin is on vacation." You hear the CISO murmur under his breath, "We really should have more than one person who runs the Email systems." He continues," The CEO wants us to initiate a response and have this remediated ASAP".
Your throat swells. Your palms start to perspire. You feel a burning in your eyes as you realize the horror of the situation: Your friend has Barry Manilow VIP tickets for both of you this evening – and there is no way you're leaving the office before the concert concludes.
You think to yourself:
- How do I determine the scope of this infection within the network?
- Why have we not been receiving IDS alerts?
- Why are we not receiving HIPS/Anti-Virus alerts en masse?
- If only I had a way to determine if a file is present across the entire network?
After you accept your fate, you start to prioritize:
You quickly make a check list of data points that need to be obtained in order to determine the scope of the infection:
- How can I identify the malicious files?
- How can I detect which hosts possess the malware?
- How can I determine the behaviors of this malware and are there other indicators of the compromise?
- What level of incident response is necessary?
- Why are my HIPS, NIDS, and Anti-Virus not detecting this?
Step 1: How do you discern the malicious files?
You review your alert for the Malware C2 connection. All you have is a generic name provided by the vendor of the IDS and the C2 IP address. You take a deep breath and have an epiphany: I know a public web service which keeps a record of file hashes to associated IP addresses for known malware. With enthusiastic fury, you quickly access this website and input your IP address. You click submit, your mouse designates that loading is occurring, and there you have it: a list of 7-known md5sum hashes[1] associated with this server. The swelling in your throat loosens a little: You have a place to start.
Step 2: How can I determine which hosts possess the malware?
Luckily, you were recently reading about how creating whitelists of known files via md5deep[2] would save your company money if you were ever to need large scale incident response.
You start to hear a faint voice in the back of your head that sings: "Mandy, You came and you gave without taking."
As a result of your previous project of whitelisting, you are running md5deep as a scheduled task on all end-user systems on your network. You then have this file list uploaded to your database for use at a later time. You log into your database and see that 95% of your hosts have completed their md5deep differential for the day. You are now thinking that things are looking better than when you first started: you have visibility where you ought to have none if you had not started the scheduled task. Next, you then take your list of md5sums and start to search through the database for afflicted hosts. With luck, you have recently upgraded this database to a brand-new and top-of-the-line server; your results are returned in 30 minutes.
You open your csv file with the afflicted hosts and realize you have been logging hostnames, IP addresses, and the file paths. You sigh in contention: you have enough information to pull the affected hosts off the network for remediation, but you do not have sufficient information to determine the scope, method of infection, network connectivity, and the modifications performed by the malware.
For now, you have your operations team go out and pull the afflicted hosts off the network. You feel a small sense of relief that maybe the CISO and CEO will be pleased enough with your progress to allow continuation of the investigation till Monday. You start to think, "Maybe I'll make it to the show after all."
You speak with your CISO. He is pleased with your progress and your ingenuity to create the whitelisting project which allowed for such quick damage control and initial remediation. However, he demands more to thoroughly remediate this situation. You think to yourself: I need a way to both determine indicators of compromise and identify them across the network.
What's Next?
At this point; we have determined the scope of infection. The methods used include advanced data techniques such as forensically analyzing machines to identify unauthorized files. If the information was not available at this time, the Incident Response engagement would have consumed more time and money. While the value of forensic data is invaluable, what happens when you only have limited forensic data available?
The next steps will be continued in Part 2 where we will discuss the value of richly enhanced forensic data.
In the meantime, visit check out Advanced Malware Protection and Detection and Advanced Endpoint Threat Detection for more information on how your organization can rapidly detect and respond to advanced and evasive threats.