The printer is broken…..They deleted the file share again……Thirteen new patches came out today that need to be applied……………IT ( it or Information Technology) never ends.
The day to day routine of fighting fires can be a drain, even near impossible to keep up with for most IT departments. Most everyone in Information Technology is understaffed and overworked; this is the often sighted the reason we hear from organizations as to why they have come to adopt a very casual attitude towards their malware response efforts – that malware infections are “just another fire that needs to be contained”. In the end, organizations state that they just don’t have the time or resources to deal with malware in a proper way, and as a result, it is treated as just another aspect of the day to day operations.
As consultants, we regularly performs assessments where we anlayze network traffic to identify malware in our clients environment. Even when an organization is running up to date anti-virus (AV), installing patches as recommended, and using common preventative security controls (web and email filters, IPS) – we usually (about 80% of the time) end up finding systems infected with malware and communicating over the internet using common C&C protocols.
As you might expect, we immediately will report any malware infections upon discovering them to the client so they begin their incident response process As you might not expect (unless inferred from the headline of the article), many organizations tend to respond to the malware infections in a VERY casual manner. What do we mean when we say casual manner?
- Response efforts can take days
- In many cases, efforts take longer than the 7 day window we run the assessment for
- Response efforts are usually to clean and move on
- The most common technique we see is that an organization will download free scanners (such as Malwarebytes or AVG) and run them on the machine until no malware is detected
There are multiple problems with these approaches.
Slow Response Times………
Slow response times can actually increase the scope and success of a breach. Once malware gains a foothold on a system, a dropper will usually begin to load various components in different stages – the quicker you are able to respond, the more effectively your team will be able to limit the scope of the breach. In several instances, we have observed additional components that steal documents or components that hold files for ransom be loaded days after the initial malware infection was reported – had response been quicker, sensitive information would not likely been compromised. Additionally, for malware components that steal user credentials, the longer the malware resides on the system, the more likely it will be that a user will log into an on-line account that can be used for ill-gotten gains.
Clean and Move On……….
While this is the most common response effort, it is also the most dangerous as it leaves out two very important questions that need to be answered when dealing with unauthorized access to a system.
- What information was compromised?
- Any time unauthorized access has been made to a system, a full inventory of the following should be taken to determine what digital assets were placed at risk:
- Sensitive Information stored on the Hard Drive
- Sensitive Information Processed by the System
- On-line Accounts Used on the System (Bank, Vendor, etc)
- Using this information, the organization should then conduct a risk analysis to determine the potential impact of the information on the system if it were in fact compromised. If warranted (by the amount or severity of information impacted), the organization should then follow up with a full forensic review of the system before proceeding forward to determine if sensitive information was in fact breached. Some regulations (such as HIPAA) require this effort as a part of the breach reporting process, and should be considered “due diligence” for any organization with regulatory requirements or handling sensitive information
- What was changed?
- Once malware has effectively made it onto your system (it has bypassed AV), it is extremely difficult to tell what changes have been made to the system. Subtle code changes to system files, back doors that evade AV scanners (which have only a 30% real world detection ratio), and other malware artifacts are just a few examples of changes that can be made and missed by running a secondary Anti-Virus scanners. The truth is, unless you can compare the infected system files against a hash list of known clean files, there is no way to know exactly how far the malware was able to dig into the operating system, and there is no way you can trust the system any more. Organizations should adopt an approach to response that includes rebuilding an infected system from a good known source, such as:
- Completely rebuilding from scratch
- Restoring from a good known backup (if you can definitively determine when the infection began)
- Once malware has effectively made it onto your system (it has bypassed AV), it is extremely difficult to tell what changes have been made to the system. Subtle code changes to system files, back doors that evade AV scanners (which have only a 30% real world detection ratio), and other malware artifacts are just a few examples of changes that can be made and missed by running a secondary Anti-Virus scanners. The truth is, unless you can compare the infected system files against a hash list of known clean files, there is no way to know exactly how far the malware was able to dig into the operating system, and there is no way you can trust the system any more. Organizations should adopt an approach to response that includes rebuilding an infected system from a good known source, such as:
By answering these two questions and prioritizing response times to malware infections, organizations will make a huge leap from “burying their heads in the sand” to proactive and effective information Incident Response Program that will be more effective in practice and in protecting important digital assets.
informal security 