Practical Incident Response - Work Guide
1 like1,003 views
This document provides an overview of practical malware triage and incident response. It discusses the process of analyzing unknown malware to determine if it is actually malware, what type of malware it is, and how to protect an organization from the threat. It describes common indicators of compromise and tools that can be used for both online and host-based malware triage and analysis. These include tools for dynamic analysis, memory forensics, and building your own analysis lab. The document also discusses indicators for ransomware and the process for responding to a ransomware incident, emphasizing prevention over reaction. Resources for further learning about digital forensics and incident response are also provided.
![A Linux Toolkit for ReverseEngineering
and Analyzing Malware
Emulate the Internet into your REMnux box
to identify network Behavior.
Prepare your machines to get infected.
Remember that sometimes malware
detects virtualized environments and gets
inhibited.
Time to decide:
¿Is your organization ready to block all the IP/Port/URL reported by malware researchers /
authorities / DFIR investigator?
¿How are you going to decide?
Determine the risk.
Determine the exposition.
Eval the personnel capabilities ¿Are they going to unzip and execute a password
protected file?. ¿How often train officials of your organization?
Build your blocked services/host assessment and register where were the block
performed.
[Post] Eval the success of the controls, use it to support your labor:
How many drops, which kind.
Determine source areas, classify it by criticality.
Determine user that tried to open the file multiple times. They need to be
trained.
Ramsonware, the latest menace. Triaging the ransomware, ¿what for?:
¿Which ransomware family have I been infected by?.
¿Is there any public service to decipher the encrypted files?
Confirm if there are compromised users and obtain all the possible information
related to the malware.
Isolate the machine. If a server, confirm if shared files have been affected and
accessed.
Verify shared folders.
Encrypted files aren't malware files, always try to obtain the source malware file.
Triage for Ransomware, ¿is it necessary?
Well, if you have listen about this threat, you know that the best practice is "Prevent, don't
react":
● Invest in security tools: AV / Antimalware.
● Create secure backups, and save them in external storage systems. Remember
backup your data in regular periods.](https://image.slidesharecdn.com/practicalincidentresponseguide-160626212725/85/Practical-Incident-Response-Work-Guide-5-320.jpg)
Practical Incident Response - Work Guide
- 1. PRACTICAL INCIDENT RESPONSE CSIETE Giovanni Cruz Forero Eduardo Chavarro Ovalle Malware Triage: In this practical workshop you will acquire skills and learn about online and host based tools, to answer the following questions: ● ¿Is it really malware? ● ¿Which kind of Malware is it? ● ¿How can I protect my organization from this threat? Once you identify the threat, it's time to prevent incidents related to these sample / threat / Campaign, it's time to decide: ● Apply and share the IoC's, ¿How do I do that? ● ¿Where are IoC's shared, where can I obtain them? ● ¿Which platforms can protect my security? ¿Which organizations? ¿Who do I have to advice? ¿Are you ready to stop the malware?, if so, we are here to give you some tips to STOP the menace.
- 2. GLOSSARY IoC: Indicator of compromise, typical IOCs are malware signatures and IP addresses, MD5/Sha hashes of malware files or URLs or domain names of botnet command and control servers. After IOCs have been identified in a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and AV software. Sample: A copy of a file or piece related to an attempt to attack the information security. Also, can be a suspicious file. Threat: Indication or warning of probable trouble where a piece of software or even hardware is being used to inflict the damage. Campaign: A set of threats used in conjunction to affect the information security of an organization. Malware: Malicious software, is any software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. Malware may be stealthy, intended to steal information or spy on computer users for an extended period without their knowledge, as for example Regin, or it may be designed to cause harm, often as sabotage (e.g., Stuxnet), or to extort payment (CryptoLocker). 'Malware' is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms,trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code,scripts, active content, and other software. Malware is often disguised as, or embedded in, nonmalicious files. As of 2011 the majority of active malware threats were worms or trojans rather than viruses. Triage: Is the process of determining the priority of malicious software treatments based on the "Indicators of Compromise", the knowledge of the investigator and public data shared by security researchers, principally, when security platforms can't identify it.
- 3. INCIDENT RESPONSE Incident response is a multidisciplinary profession that focuses on identifying, investigating, and remediating computer network exploitation. This can take varied forms and involves a wide variety of skills, kinds of attackers, and kinds of targets. You’ll need the following traits (not all, but at least a majority of them): ● Curiosity: It’s always about what you don’t know and what are you disposed to learn. ● Attention to Detail: You never know what bit of data makes the difference, where is the info and what gives you information. ● A Need for Variety: One day it’s logs, the next it’s packets, then memory, … don't forget public sources of information. ● Working with People: There’s always an attacker and a victim. ● An Affinity for Stress: You don’t have to like it, but you must handle it. MALWARE TRIAGE The ability to gather data from malware, at a high level, is incredibly essential and a set of skills every DFIR should have. Not only Reversing/Disassembling based analysis. ARTIFACTS IOC ● Paths ● Registry Keys ● Hashing (Full / Partial) ● Strings ● Behavior ● Operating System ● Network connections: Hosts, Protocols www.forensicartifacts.com ● File descriptor ● Hashes ● Network Ports/Hosts ● Registry ● Paths https://www.iocbucket.com/ TOOLS Online AV engines: ❖ www.virustotal.com ❖ http://nodistribute.com/ ❖ http://viruscheckmate.com/free/ Host analysis: http://threatglass.com/ ● Barracuda service.
- 4. ❖ https://scan.majyx.net/ ● Multiple AV engines. ● Comments / Honey detection ● Platform analysis ● File identification ● Malware metadata ● Related files CyberSecurity research service: http://www.teamcymru.org/MHR.html ● Host serving the malware ● Threat source ● Everything in a campaign context. ● An online tool for sharing, browsing and analyzing webbased malware in a Pinterest way. Dynamic analysis: www.malwr.com ● Exe / Ms Office ● Signatures ● Behavior ● Network https://www.hybridanalysis.com ● Dynamic / Static analysis ● Based on VxStream Sandbox v4.30 ● Reserved Indicator (Not for free :( ) ● File details (visual and text) ● Screenshots ● Dropped / Injected files. Host based PEStudio: ● Host based Malware Triage. ● Source: www.winitor.com ● String, DLL/Exes, *.* ● Explorer menu integration Yara: ● source: plusvic.github.io/yara/ ● AV controlled by you, not a replacement but a support tool. ● Don't waste time until your AV updates. ● Build your sandbox and drop any suspicious file there, then use Yara to check it known. Xtreme RAT decrypt and config finder: https://github.com/fireeye/tools/tree/master/ malware/Xtreme%20RAT Memory Forensics: Attackers have moved, using techniques that emphasize using volatile storage, aka memory. Things like memory resident malware can’t be detected on disk, so DFIRs had to move to analyzing memory itself. Also, auditing Volatility: ● Is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples ● You can create descriptions of malware families ● Multiplatform, running on Windows, Linux and Mac OS X, and can be used through its commandline interface or from your own Python scripts with the yarapython extension Build your own Dynamic Analysis Laboratory RENMnux
- 5. A Linux Toolkit for ReverseEngineering and Analyzing Malware Emulate the Internet into your REMnux box to identify network Behavior. Prepare your machines to get infected. Remember that sometimes malware detects virtualized environments and gets inhibited. Time to decide: ¿Is your organization ready to block all the IP/Port/URL reported by malware researchers / authorities / DFIR investigator? ¿How are you going to decide? Determine the risk. Determine the exposition. Eval the personnel capabilities ¿Are they going to unzip and execute a password protected file?. ¿How often train officials of your organization? Build your blocked services/host assessment and register where were the block performed. [Post] Eval the success of the controls, use it to support your labor: How many drops, which kind. Determine source areas, classify it by criticality. Determine user that tried to open the file multiple times. They need to be trained. Ramsonware, the latest menace. Triaging the ransomware, ¿what for?: ¿Which ransomware family have I been infected by?. ¿Is there any public service to decipher the encrypted files? Confirm if there are compromised users and obtain all the possible information related to the malware. Isolate the machine. If a server, confirm if shared files have been affected and accessed. Verify shared folders. Encrypted files aren't malware files, always try to obtain the source malware file. Triage for Ransomware, ¿is it necessary? Well, if you have listen about this threat, you know that the best practice is "Prevent, don't react": ● Invest in security tools: AV / Antimalware. ● Create secure backups, and save them in external storage systems. Remember backup your data in regular periods.
- 6. ● Educate the users in your organization, share and "spread the word" But, just in case, this is the way we attend Ransomware Incidents: 1. Isolate the affected device. 2. Identify principal samples related to the malware: a. Ransom Note b. Sample Encrypted File c. Originating malware 3. Identify the ransomware: https://idransomware.malwarehunterteam.com/ 4. Analyze the most of the files, to be sure which type of ransomware has affected your system. 5. Look for possible ransomware decrypting tools: https://docs.google.com/spreadsheets/d/1TWS238xacAtofLKh1n5uTsdijWdCEsGIM 0Y0Hvmc5g/pubhtml# 6. Cross your fingers and check the tools. 7. Remember the red lines when we told you "Prevent, don't react"?, well maybe is time to do it. Resources: ● Scott J. Roberts, "Introduction to DFIR" http://sroberts.github.io/2016/01/11/introductiontodfirthebeginning/ ● Florian Roth @cyb3rops, Mosh @nyxbone et al, Ransomware Overview https://docs.google.com/spreadsheets/d/1TWS238xacAtofLKh1n5uTsdijWdCEsGIM 0Y0Hvmc5g/pubhtml# ● Wendy Zamora, How to beat ransomware: Prevent, don't react https://www.malwarebytes.org/articles/howtobeatransomwarepreventdontreact/ ● REMnux® is a free Linux toolkit for assisting malware analysts with reverseengineering malicious software https://remnux.org/