SlideShare a Scribd company logo

Practical Incident Response - Work Guide

Eduardo Chavarro
Eduardo Chavarro

This document provides an overview of practical malware triage and incident response. It discusses the process of analyzing unknown malware to determine if it is actually malware, what type of malware it is, and how to protect an organization from the threat. It describes common indicators of compromise and tools that can be used for both online and host-based malware triage and analysis. These include tools for dynamic analysis, memory forensics, and building your own analysis lab. The document also discusses indicators for ransomware and the process for responding to a ransomware incident, emphasizing prevention over reaction. Resources for further learning about digital forensics and incident response are also provided.

Related slideshows

Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
Counter Measures Of Virus
Counter Measures Of VirusCounter Measures Of Virus
Counter Measures Of Virus
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
 
1 of 6
Download to read offline
  PRACTICAL INCIDENT RESPONSE    CSIETE    Giovanni Cruz Forero  Eduardo Chavarro Ovalle        Malware Triage: In this practical workshop you will acquire skills and learn about online and                              host based tools, to answer the following questions:     ● ¿Is it really malware?   ● ¿Which kind of Malware is it?  ● ¿How can I protect my organization from this threat?      Once you identify the threat, it's time to prevent incidents related to these sample / threat /                                  Campaign, it's time to decide:    ● Apply and share the IoC's, ¿How do I do that?  ● ¿Where are IoC's shared, where can I obtain them?  ● ¿Which platforms can protect my security? ¿Which organizations? ¿Who do I have                        to advice?            ¿Are you ready to stop the malware?,   if so, we are here to give you some tips to STOP the menace.         
  GLOSSARY      IoC:  Indicator of compromise, typical IOCs are malware signatures and ​IP                    addresses​, ​MD5/Sha hashes of ​malware files or ​URLs or ​domain names of ​botnet command                            and control servers. After IOCs have been identified in a process of ​incident response and                              computer forensics​, they can be used for early detection of future attack attempts using                            intrusion detection systems​ and AV​ software​.    Sample: A copy of a file or piece related to an attempt to attack the information                              security. Also, can be  a suspicious file.    Threat:  Indication or warning of probable trouble where a piece of software or even                          hardware is being used to inflict the damage.     Campaign:  A set of threats used in conjunction to affect the information security of an                            organization.    Malware:  Malicious software, is any software used to disrupt computer operations,                    gather sensitive information, gain access to private computer systems, or display unwanted                        advertising. Malware may be stealthy, intended to steal information or spy on computer                          users for an extended period without their knowledge, as for example ​Regin​, or it may be                                designed to cause harm, often as sabotage (e.g., ​Stuxnet​), or to extort payment                          (​CryptoLocker​). 'Malware' is an umbrella term used to refer to a variety of forms of hostile or                                  intrusive software, including ​computer viruses​, ​worms​,​trojan horses​, ​ransomware​, ​spyware​,                  adware​, ​scareware​, and other malicious programs. It can take the form of ​executable                          code​,​scripts​, active content, and other software. Malware is often disguised as, or embedded                          in, non­malicious files. As of 2011 the majority of active malware threats were worms or                              trojans rather than viruses.    Triage:   Is the process of determining the priority of malicious software treatments  based on the "Indicators of Compromise", the knowledge of the investigator and public data  shared by security researchers, principally, when security platforms can't identify it.                           
  INCIDENT RESPONSE       Incident response is a multidisciplinary profession that focuses on identifying, investigating,                      and remediating computer network exploitation. This can take varied forms and involves a                          wide variety of skills, kinds of attackers, and  kinds of targets.     You’ll need the following traits (not all, but at least a majority of them):    ● Curiosity: It’s always about what you don’t know and what are you disposed to learn.  ● Attention to Detail: You never know what bit of data makes the difference, where is                              the info and what gives you information.  ● A Need for Variety: One day it’s logs, the next it’s packets, then memory, … don't                                forget public sources of information.  ● Working with People: There’s always an attacker and a victim.  ● An Affinity for Stress: You don’t have to like it, but you must handle it.      MALWARE TRIAGE    The ability to gather data from malware, at a high level, is incredibly essential and a set of                                    skills every DFIR should have.    Not only Reversing/Disassembling based analysis.      ARTIFACTS  IOC  ● Paths  ● Registry Keys  ● Hashing (Full / Partial)  ● Strings  ● Behavior  ● Operating System  ● Network connections: Hosts,  Protocols    www.forensicartifacts.com     ● File descriptor  ● Hashes  ● Network Ports/Hosts  ● Registry   ● Paths    https://www.iocbucket.com/    TOOLS  Online  ­ AV engines:    ❖ www.virustotal.com  ❖ http://nodistribute.com/   ❖ http://viruscheckmate.com/free/  ­ Host analysis:    http://threatglass.com/   ● Barracuda service. 
  ❖ https://scan.majyx.net/     ● Multiple AV engines.  ● Comments / Honey detection  ● Platform analysis  ● File identification  ● Malware metadata  ● Related files    ­ Cyber­Security research service:    http://www.team­cymru.org/MHR.html    ● Host serving the malware  ● Threat source  ● Everything in a campaign context.      ● An online tool for sharing, browsing            and analyzing web­based malware        in a Pinterest way.    ­ Dynamic analysis:    www.malwr.com  ● Exe / Ms Office  ● Signatures  ● Behavior  ● Network    https://www.hybrid­analysis.com   ● Dynamic / Static analysis  ● Based on VxStream Sandbox v4.30  ● Reserved Indicator (Not for free ​:(​ )  ● File details (visual and text)  ● Screenshots  ● Dropped / Injected files.  Host based  ­ PEStudio:    ● Host based Malware Triage.  ● Source: ​www.winitor.com  ● String, DLL/Exes, *.*  ● Explorer menu integration     ­ Yara​:    ● source: ​plusvic.github.io/yara/   ● AV controlled by you, not a            replacement but a support tool.  ● Don't waste time until your AV            updates.  ● Build your sandbox and drop any            suspicious file there, then use Yara            to check it��known.    Xtreme RAT decrypt and config finder:            https://github.com/fireeye/tools/tree/master/ malware/Xtreme%20RAT   ­ Memory Forensics:     Attackers have moved, using techniques          that emphasize using volatile storage, aka            memory. Things like memory resident          malware can’t be detected on disk, so              DFIRs had to move to analyzing memory              itself. Also, auditing     Volatility:    ● Is a tool aimed at (but not limited to)                  helping malware researchers to        identify and classify malware        samples  ● You can create descriptions of          malware families  ● Multi­platform, running on Windows,        Linux and Mac OS X, and can be                used through its command­line        interface or from your own Python            scripts with the yara­python        extension  Build your own Dynamic Analysis Laboratory  RENMnux   
  A Linux Toolkit for Reverse­Engineering          and Analyzing Malware  Emulate the Internet into your REMnux box              to identify network Behavior.    Prepare your machines to get infected.            Remember that sometimes malware        detects virtualized environments and gets          inhibited.      Time to decide:    ¿Is your organization ready to block all the IP/Port/URL reported by malware researchers /  authorities / DFIR investigator?     ¿How are you going to decide?  ­ Determine the risk.  ­ Determine the exposition.  ­ Eval the personnel capabilities ¿Are they going to unzip and execute a password  protected file?. ¿How often train officials of your organization?  ­ Build your blocked services/host assessment and register where were the block  performed.   ­ [Post] Eval the success of the controls, use it to support your labor:  ­ How many drops, which kind.  ­ Determine source areas, classify it by criticality.  ­ Determine user that tried to open the file multiple times. They need to be  trained.    Ramsonware, the latest menace. Triaging the ransomware, ¿what for?:    ­ ¿Which ransomware family have I been infected by?.  ­ ¿Is there any public service to decipher the encrypted files?  ­ Confirm if there are compromised users and obtain all the possible information  related to the malware.  ­ Isolate the machine. If a server, confirm if shared files have been affected and  accessed.   ­ Verify shared folders.  ­ Encrypted files aren't malware files, always try to obtain the source malware file.       Triage for Ransomware, ¿is it necessary?    Well, if you have listen about this threat, you know that the best practice is "Prevent, don't                                  react":  ● Invest in security tools: AV / Antimalware.  ● Create secure backups, and save them in external storage systems. Remember                      backup your data in regular periods. 
  ● Educate the users in your organization, share and "spread the word"     But, just in case, this is the way we attend Ransomware Incidents:    1. Isolate the affected device.  2. Identify principal samples related to the malware:  a. Ransom Note  b. Sample Encrypted File  c. Originating malware  3. Identify the ransomware: ​https://id­ransomware.malwarehunterteam.com/   4. Analyze the most of the files, to be sure which type of ransomware has affected your  system.  5. Look for possible ransomware decrypting tools:  https://docs.google.com/spreadsheets/d/1TWS238xacAto­fLKh1n5uTsdijWdCEsGIM 0Y0Hvmc5g/pubhtml#   6. Cross your fingers and check the tools.  7. Remember the red lines when we told you ​"Prevent, don't react"​?, well maybe is time  to do it.      Resources:    ● Scott J. Roberts, "Introduction to DFIR"            http://sroberts.github.io/2016/01/11/introduction­to­dfir­the­beginning/   ● Florian Roth @cyb3rops, Mosh @nyxbone et al, Ransomware Overview                  https://docs.google.com/spreadsheets/d/1TWS238xacAto­fLKh1n5uTsdijWdCEsGIM 0Y0Hvmc5g/pubhtml#   ● Wendy Zamora, How to beat ransomware: Prevent, don't react                  https://www.malwarebytes.org/articles/how­to­beat­ransomware­prevent­dont­react/   ● REMnux® is a free Linux toolkit for assisting malware analysts with                      reverse­engineering malicious software ​https://remnux.org/   

More Related Content

Practical Incident Response - Work Guide

  • 1.   PRACTICAL INCIDENT RESPONSE    CSIETE    Giovanni Cruz Forero  Eduardo Chavarro Ovalle        Malware Triage: In this practical workshop you will acquire skills and learn about online and                              host based tools, to answer the following questions:     ● ¿Is it really malware?   ● ¿Which kind of Malware is it?  ● ¿How can I protect my organization from this threat?      Once you identify the threat, it's time to prevent incidents related to these sample / threat /                                  Campaign, it's time to decide:    ● Apply and share the IoC's, ¿How do I do that?  ● ¿Where are IoC's shared, where can I obtain them?  ● ¿Which platforms can protect my security? ¿Which organizations? ¿Who do I have                        to advice?            ¿Are you ready to stop the malware?,   if so, we are here to give you some tips to STOP the menace.         
  • 2.   GLOSSARY      IoC:  Indicator of compromise, typical IOCs are malware signatures and ​IP                    addresses​, ​MD5/Sha hashes of ​malware files or ​URLs or ​domain names of ​botnet command                            and control servers. After IOCs have been identified in a process of ​incident response and                              computer forensics​, they can be used for early detection of future attack attempts using                            intrusion detection systems​ and AV​ software​.    Sample: A copy of a file or piece related to an attempt to attack the information                              security. Also, can be  a suspicious file.    Threat:  Indication or warning of probable trouble where a piece of software or even                          hardware is being used to inflict the damage.     Campaign:  A set of threats used in conjunction to affect the information security of an                            organization.    Malware:  Malicious software, is any software used to disrupt computer operations,                    gather sensitive information, gain access to private computer systems, or display unwanted                        advertising. Malware may be stealthy, intended to steal information or spy on computer                          users for an extended period without their knowledge, as for example ​Regin​, or it may be                                designed to cause harm, often as sabotage (e.g., ​Stuxnet​), or to extort payment                          (​CryptoLocker​). 'Malware' is an umbrella term used to refer to a variety of forms of hostile or                                  intrusive software, including ​computer viruses​, ​worms​,​trojan horses​, ​ransomware​, ​spyware​,                  adware​, ​scareware​, and other malicious programs. It can take the form of ​executable                          code​,​scripts​, active content, and other software. Malware is often disguised as, or embedded                          in, non­malicious files. As of 2011 the majority of active malware threats were worms or                              trojans rather than viruses.    Triage:   Is the process of determining the priority of malicious software treatments  based on the "Indicators of Compromise", the knowledge of the investigator and public data  shared by security researchers, principally, when security platforms can't identify it.                           
  • 3.   INCIDENT RESPONSE       Incident response is a multidisciplinary profession that focuses on identifying, investigating,                      and remediating computer network exploitation. This can take varied forms and involves a                          wide variety of skills, kinds of attackers, and  kinds of targets.     You’ll need the following traits (not all, but at least a majority of them):    ● Curiosity: It’s always about what you don’t know and what are you disposed to learn.  ● Attention to Detail: You never know what bit of data makes the difference, where is                              the info and what gives you information.  ● A Need for Variety: One day it’s logs, the next it’s packets, then memory, … don't                                forget public sources of information.  ● Working with People: There’s always an attacker and a victim.  ● An Affinity for Stress: You don’t have to like it, but you must handle it.      MALWARE TRIAGE    The ability to gather data from malware, at a high level, is incredibly essential and a set of                                    skills every DFIR should have.    Not only Reversing/Disassembling based analysis.      ARTIFACTS  IOC  ● Paths  ● Registry Keys  ● Hashing (Full / Partial)  ● Strings  ● Behavior  ● Operating System  ● Network connections: Hosts,  Protocols    www.forensicartifacts.com     ● File descriptor  ● Hashes  ● Network Ports/Hosts  ● Registry   ● Paths    https://www.iocbucket.com/    TOOLS  Online  ­ AV engines:    ❖ www.virustotal.com  ❖ http://nodistribute.com/   ❖ http://viruscheckmate.com/free/  ­ Host analysis:    http://threatglass.com/   ● Barracuda service. 
  • 4.   ❖ https://scan.majyx.net/     ● Multiple AV engines.  ● Comments / Honey detection  ● Platform analysis  ● File identification  ● Malware metadata  ● Related files    ­ Cyber­Security research service:    http://www.team­cymru.org/MHR.html    ● Host serving the malware  ● Threat source  ● Everything in a campaign context.      ● An online tool for sharing, browsing            and analyzing web­based malware        in a Pinterest way.    ­ Dynamic analysis:    www.malwr.com  ● Exe / Ms Office  ● Signatures  ● Behavior  ● Network    https://www.hybrid­analysis.com   ● Dynamic / Static analysis  ● Based on VxStream Sandbox v4.30  ● Reserved Indicator (Not for free ​:(​ )  ● File details (visual and text)  ● Screenshots  ● Dropped / Injected files.  Host based  ­ PEStudio:    ● Host based Malware Triage.  ● Source: ​www.winitor.com  ● String, DLL/Exes, *.*  ● Explorer menu integration     ­ Yara​:    ● source: ​plusvic.github.io/yara/   ● AV controlled by you, not a            replacement but a support tool.  ● Don't waste time until your AV            updates.  ● Build your sandbox and drop any            suspicious file there, then use Yara            to check it known.    Xtreme RAT decrypt and config finder:            https://github.com/fireeye/tools/tree/master/ malware/Xtreme%20RAT   ­ Memory Forensics:     Attackers have moved, using techniques          that emphasize using volatile storage, aka            memory. Things like memory resident          malware can’t be detected on disk, so              DFIRs had to move to analyzing memory              itself. Also, auditing     Volatility:    ● Is a tool aimed at (but not limited to)                  helping malware researchers to        identify and classify malware        samples  ● You can create descriptions of          malware families  ● Multi­platform, running on Windows,        Linux and Mac OS X, and can be                used through its command­line        interface or from your own Python            scripts with the yara­python        extension  Build your own Dynamic Analysis Laboratory  RENMnux   
  • 5.   A Linux Toolkit for Reverse­Engineering          and Analyzing Malware  Emulate the Internet into your REMnux box              to identify network Behavior.    Prepare your machines to get infected.            Remember that sometimes malware        detects virtualized environments and gets          inhibited.      Time to decide:    ¿Is your organization ready to block all the IP/Port/URL reported by malware researchers /  authorities / DFIR investigator?     ¿How are you going to decide?  ­ Determine the risk.  ­ Determine the exposition.  ­ Eval the personnel capabilities ¿Are they going to unzip and execute a password  protected file?. ¿How often train officials of your organization?  ­ Build your blocked services/host assessment and register where were the block  performed.   ­ [Post] Eval the success of the controls, use it to support your labor:  ­ How many drops, which kind.  ­ Determine source areas, classify it by criticality.  ­ Determine user that tried to open the file multiple times. They need to be  trained.    Ramsonware, the latest menace. Triaging the ransomware, ¿what for?:    ­ ¿Which ransomware family have I been infected by?.  ­ ¿Is there any public service to decipher the encrypted files?  ­ Confirm if there are compromised users and obtain all the possible information  related to the malware.  ­ Isolate the machine. If a server, confirm if shared files have been affected and  accessed.   ­ Verify shared folders.  ­ Encrypted files aren't malware files, always try to obtain the source malware file.       Triage for Ransomware, ¿is it necessary?    Well, if you have listen about this threat, you know that the best practice is "Prevent, don't                                  react":  ● Invest in security tools: AV / Antimalware.  ● Create secure backups, and save them in external storage systems. Remember                      backup your data in regular periods. 
  • 6.   ● Educate the users in your organization, share and "spread the word"     But, just in case, this is the way we attend Ransomware Incidents:    1. Isolate the affected device.  2. Identify principal samples related to the malware:  a. Ransom Note  b. Sample Encrypted File  c. Originating malware  3. Identify the ransomware: ​https://id­ransomware.malwarehunterteam.com/   4. Analyze the most of the files, to be sure which type of ransomware has affected your  system.  5. Look for possible ransomware decrypting tools:  https://docs.google.com/spreadsheets/d/1TWS238xacAto­fLKh1n5uTsdijWdCEsGIM 0Y0Hvmc5g/pubhtml#   6. Cross your fingers and check the tools.  7. Remember the red lines when we told you ​"Prevent, don't react"​?, well maybe is time  to do it.      Resources:    ● Scott J. Roberts, "Introduction to DFIR"            http://sroberts.github.io/2016/01/11/introduction­to­dfir­the­beginning/   ● Florian Roth @cyb3rops, Mosh @nyxbone et al, Ransomware Overview                  https://docs.google.com/spreadsheets/d/1TWS238xacAto­fLKh1n5uTsdijWdCEsGIM 0Y0Hvmc5g/pubhtml#   ● Wendy Zamora, How to beat ransomware: Prevent, don't react                  https://www.malwarebytes.org/articles/how­to­beat­ransomware­prevent­dont­react/   ● REMnux® is a free Linux toolkit for assisting malware analysts with                      reverse­engineering malicious software ​https://remnux.org/