After the Storm — Cleaning up After a Malware Incident
One of our thought leaders, JJ Thompson, recently discussed malware incident response on the ISC2 webinar “After the Storm — Cleaning up After a Malware Incident”. If you missed it, you can listen to the replay at:
https://www.brighttalk.com/webcast/5385/60443
Abstract:
Malware continues to be an issue for organizations of all sizes and industries. While the focus remains on preventing malware incidents, having a response plan in place is a necessity. Without such an incident response plan, making the correct decisions in the spur of the moment can become extremely difficult, making a bad situation even worse.
- Do we have a plan in place to effectively respond to a malware incident?
- Do our executives provide necessary resources to combat malware?
- Do our IT security professionals communicate the business case for fighting off malware effectively?
- Is our organization prepared to defend against a zero day?
- Are we up to date with our patching efforts?
- Are we prioritizing our patching efforts to focus on real threats being used in our industry?
During the webinar, some of the attendees asked questions. Below are a few of them that we thought would be of benefit to everyone, along with their answers. Some additional resources are also located at the bottom of the page.
How do you keep the chain of custody when dealing with security incidents? Do you have to present the malware as evidence in a court of justice?
The fluffier answer is: During any forensics investigation, it is extremely important to keep a chain of custody and keep an accurate log of all analysis performed on said malware. Also, ensure your incidence response plan is always up to date and encompasses these scenarios so you can be prepared if such an incident takes place. The primary reason for having the plan and protocol documented and APPROVED by internal counsel is that your team will already know exactly how counsel would like to handle documentation and evidence collection should a case go to court.
Sans has released a good public reference for incident handling.
The direct answer may be found here as there is specific guidance on chain of custody from NIST (page 3–4)
Here’s what it says:
“Before the analyst begins to collect any data, a decision should be made by the analyst or management (in accordance with the organization’s policies and legal advisors) on the need to collect and preserve evidence in a way that supports its use in future legal or internal disciplinary proceedings. In such situations, a clearly defined chain of custody should be followed to avoid allegations of mishandling or tampering of evidence. This involves keeping a log of every person who had physical custody of the evidence, documenting the actions that they performed on the evidence and at what time, storing the evidence in a secure location when it is not being used, making a copy of the evidence and performing examination and analysis using only the copied evidence, and verifying the integrity of the original and copied evidence. If it is unclear whether or not evidence needs to be preserved, by default it generally should be preserved.
In addition, several other steps should be taken. Throughout the process, a detailed log should be kept of every step that was taken to collect the data, including information about each tool used in the process.
The documentation allows other analysts to repeat the process later if needed. Additionally, evidence should be photographed to provide visual reminders of the computer setup and peripheral devices. In addition, before actually touching a system, the analyst should make a note or photograph of any pictures, documents, running programs, and other relevant information displayed on the monitor. If a screen saver is active, that should be documented as well since it may be password-protected. If possible, one person on the scene should be designated the evidence custodian, and given the sole responsibility to photograph, document, and label every item that is collected, and record every action that was taken along with who performed the action, where it was performed, and at what time. Since the evidence may not be needed for legal proceedings for an extended time, proper documentation enables an analyst to remember exactly what was done to collect data and can be used to refute claims of mishandling.”
How do you keep malware from coming in when you block the ip addresses they just change me and come in a different route?
The best defense against malware getting into your network is proactive monitoring and identification of threats via deployment of standardized Malware controls that address the common points of infection.
For network defense and for detection of malware on inbound email: a lot of clients rely on their Next Generation Firewalls to detect malware on the wire.
For host / endpoints: its key to deploy standardized images and monitor those images to make sure the controls stay deployed (see the link below). Additionally, patching is critical as most malware exploits human error through email or the web browser but then leverages existing weaknesses, many of which could have been mitigated through patching.
Is it a good idea of involving digital forensic experts before involving the law enforcing authorities in case of some malware incident?
Yes, it is a good idea to involve digital forensic experts first because you need more information before you decide if it’s necessary to contact law enforcement. That initial investigation should primarily focus on the infection point and if possible the source of the malware. Once you believe you have sufficient information regarding the malware, you need to work with internal counsel to determine if counsel is interested in litigating. If not, then there may not be interest to contact law enforcement.
We have heard more and more that Mobile Devices (especially Androids) are prime targets for malware. Can you recommend any anti-malware products that protect mobile devices?
In our opinion, malware products that have been released for mobile devices do not sufficiently defend against malware to be relied upon as the sole defense against malware. Even traditional endpoint protection products, that originated from AV and have been around for years don’t do a great job of protecting against new malware (this has even been publicly acknowledged by AV vendors). There are a few products in the works that are due out in 2013 that may make this more of a reality, but for now, we recommend using a solution from a reputable third-party vendor on this front.
In addition to an anti-malware product on the devices themselves, (assuming your question relates to an organization) we would highly recommend zoned security architecture. For this specific case, have mobile devices use a separate network so any malware introduced through the mobile device vulnerability will remain only on that network.
Additional References:
How malware spreads
