Tuesday, May 5, 2009

The malware question

Not long ago I asked myself a simple question.

How does an organization deal with malware when it comes to incident response and investigation?

The answer turned out to be quite complex and vague in nature. My answer? It depends.

So I started thinking..well what does it depend on?

I came up with the following list(with a little commentary):

What is it? Is it known or unknown? This is tricky because even the known (according to vendor definition) holds a lot of unknowns.

In an ever increasing trend, even the malware that has definitions, is poorly defined. These are what I've been calling "undocumented features". An antivirus vendor will commonly only provide a partial technical analysis to its customers. This leaves us in a state of having a definition, but only one that provides enough information to classify something as malicious. Your organization must evaluate what requires analysis and to what depth. In the past year or so, definitions are generic and generally useless in helping you determine the true capabilities of malware.

What is it capable of?

As above, malware capabilities must be learned before determining the risk to the organization. At present, I no longer believe in 'simple' malware. Each day I find the Gateway Malware Theory to be true. Capabilities tend to fly under the radar of many tools. In many organizations, if malware is detected, the threat is considered contained, even though this has been shown to be untrue. Containment is just the beginning.

What privileges does it require?

In several cases, malware that executes with user level privileges is operating in a crippled manner. Likewise, there is malware that only requires user level privileges to pose a risk. Many types of malware will lose their ability to establish a persistence mechanism when executed without elevated privileges.

What privileges did it have at the time of infection?

As above, If the malware executed with administrative rights, then regardless of its capabilities, it has all the access it requires to completely overtake a system. It can download additional malware and that malware adds more risk. Additionally, depending on its intended purpose, it will have full access to the data on the system.

How does it communicate?

This is important for a few reasons, not the least of which is encryption. If the malware communicates in an encrypted manner with a controller, then there may be almost no way to determine the contents of any transfer. This communication channel can help dictate the type of response to the infection.

Is it designed to search for or steal data?

Malware designed to search for or steal data obviously poses a greater risk to an organization than malware that is not designed for that purpose. The type of data that malware is intended to steal presents another twist. Take an Infostealer variant. On one hand, it may be designed to steal credit cards and bank account information. Another Infostealer variant may be designed to go after World of Warcraft information. It's all in the details.

Is data of a sensitive nature present or processed on the infected system?

This is important. If sensitive data is not present, processed on or accessible from the infected system, then what is the real risk? Maybe credential theft?

Does the user or system have access to other systems processing or storing sensitive data?

If the user that was logged in during the infection has access to sensitive data, or sensitive data is accessible from the system, then there is an inherently higher risk to the organization. If sensitive data is passed through the system, it's at risk. Simple enough.

Does the malware pose a risk to the individual user data or the organizations data?

Using the infostealer variant from above, if the malware is designed to steal things like amazon and ebay payment information versus say, execute a weaponized version of an SSN identification tool, then the risk to the organization is likely lower, unless of course the organization deals with amazon or ebay.

How long was the malware on the affected system, how was it detected, what actions were taken to remove the threat?

This one is kind of important. Many times I end up looking through antivirus log files and prior to the detection of the malware by the antivirus product- usually within the same 24 hour period, the antivirus definitions on the system were updated. What does this imply? It implies that the system was likely infected for longer than 24 hours. Was the malware caught before execution(auto protect mechanisms) or was it caught during a routine manual or scheduled scan? Again, the details make a difference. The delta from Time of Compromise to Time of Containment conributes to the Window of Risk. In addition, if the antivirus product did not fully remove the threat (some products will log certain types of threats versus actually stop them), then there is still a problem.

Being able to answer these questions will allow you to make a stronger case when presenting a case to a decision making body. This applies directly to the Reasonable Belief Criteria


Keydet89 said...

The only issue I see with all of these questions is what amounts to an answer to your first question (ie, How does an organization deal with malware...).

Understand that I'm an incident responder, so I get called by folks who need my assistance. In most cases, they've either simply powered off systems, or they've "cleaned" the systems and want me to answer the questions you posed. Most times, this occurs without a sample.

The best approach is what I said during the 2008 SANS Forensic Summit...when asked on the panel as to when a customer should call me, I responded with "...BEFORE an incident occurs."