1.
PRACTICAL INCIDENT RESPONSE
CSIETE
Giovanni Cruz Forero
Eduardo Chavarro Ovalle
Malware Triage: In this practical workshop you will acquire skills and learn about online and
host based tools, to answer the following questions:
● ¿Is it really malware?
● ¿Which kind of Malware is it?
● ¿How can I protect my organization from this threat?
Once you identify the threat, it's time to prevent incidents related to these sample / threat /
Campaign, it's time to decide:
● Apply and share the IoC's, ¿How do I do that?
● ¿Where are IoC's shared, where can I obtain them?
● ¿Which platforms can protect my security? ¿Which organizations? ¿Who do I have
to advice?
¿Are you ready to stop the malware?,
if so, we are here to give you some tips to STOP the menace.
2.
GLOSSARY
IoC: Indicator of compromise, typical IOCs are malware signatures and IP
addresses, MD5/Sha hashes of malware files or URLs or domain names of botnet command
and control servers. After IOCs have been identified in a process of incident response and
computer forensics, they can be used for early detection of future attack attempts using
intrusion detection systems and AV software.
Sample: A copy of a file or piece related to an attempt to attack the information
security. Also, can be a suspicious file.
Threat: Indication or warning of probable trouble where a piece of software or even
hardware is being used to inflict the damage.
Campaign: A set of threats used in conjunction to affect the information security of an
organization.
Malware: Malicious software, is any software used to disrupt computer operations,
gather sensitive information, gain access to private computer systems, or display unwanted
advertising. Malware may be stealthy, intended to steal information or spy on computer
users for an extended period without their knowledge, as for example Regin, or it may be
designed to cause harm, often as sabotage (e.g., Stuxnet), or to extort payment
(CryptoLocker). 'Malware' is an umbrella term used to refer to a variety of forms of hostile or
intrusive software, including computer viruses, worms,trojan horses, ransomware, spyware,
adware, scareware, and other malicious programs. It can take the form of executable
code,scripts, active content, and other software. Malware is often disguised as, or embedded
in, nonmalicious files. As of 2011 the majority of active malware threats were worms or
trojans rather than viruses.
Triage: Is the process of determining the priority of malicious software treatments
based on the "Indicators of Compromise", the knowledge of the investigator and public data
shared by security researchers, principally, when security platforms can't identify it.
3.
INCIDENT RESPONSE
Incident response is a multidisciplinary profession that focuses on identifying, investigating,
and remediating computer network exploitation. This can take varied forms and involves a
wide variety of skills, kinds of attackers, and kinds of targets.
You’ll need the following traits (not all, but at least a majority of them):
● Curiosity: It’s always about what you don’t know and what are you disposed to learn.
● Attention to Detail: You never know what bit of data makes the difference, where is
the info and what gives you information.
● A Need for Variety: One day it’s logs, the next it’s packets, then memory, … don't
forget public sources of information.
● Working with People: There’s always an attacker and a victim.
● An Affinity for Stress: You don’t have to like it, but you must handle it.
MALWARE TRIAGE
The ability to gather data from malware, at a high level, is incredibly essential and a set of
skills every DFIR should have.
Not only Reversing/Disassembling based analysis.
ARTIFACTS IOC
● Paths
● Registry Keys
● Hashing (Full / Partial)
● Strings
● Behavior
● Operating System
● Network connections: Hosts,
Protocols
www.forensicartifacts.com
● File descriptor
● Hashes
● Network Ports/Hosts
● Registry
● Paths
https://www.iocbucket.com/
TOOLS
Online
AV engines:
❖ www.virustotal.com
❖ http://nodistribute.com/
❖ http://viruscheckmate.com/free/
Host analysis:
http://threatglass.com/
● Barracuda service.
4.
❖ https://scan.majyx.net/
● Multiple AV engines.
● Comments / Honey detection
● Platform analysis
● File identification
● Malware metadata
● Related files
CyberSecurity research service:
http://www.teamcymru.org/MHR.html
● Host serving the malware
● Threat source
● Everything in a campaign context.
● An online tool for sharing, browsing
and analyzing webbased malware
in a Pinterest way.
Dynamic analysis:
www.malwr.com
● Exe / Ms Office
● Signatures
● Behavior
● Network
https://www.hybridanalysis.com
● Dynamic / Static analysis
● Based on VxStream Sandbox v4.30
● Reserved Indicator (Not for free :( )
● File details (visual and text)
● Screenshots
● Dropped / Injected files.
Host based
PEStudio:
● Host based Malware Triage.
● Source: www.winitor.com
● String, DLL/Exes, *.*
● Explorer menu integration
Yara:
● source: plusvic.github.io/yara/
● AV controlled by you, not a
replacement but a support tool.
● Don't waste time until your AV
updates.
● Build your sandbox and drop any
suspicious file there, then use Yara
to check it known.
Xtreme RAT decrypt and config finder:
https://github.com/fireeye/tools/tree/master/
malware/Xtreme%20RAT
Memory Forensics:
Attackers have moved, using techniques
that emphasize using volatile storage, aka
memory. Things like memory resident
malware can’t be detected on disk, so
DFIRs had to move to analyzing memory
itself. Also, auditing
Volatility:
● Is a tool aimed at (but not limited to)
helping malware researchers to
identify and classify malware
samples
● You can create descriptions of
malware families
● Multiplatform, running on Windows,
Linux and Mac OS X, and can be
used through its commandline
interface or from your own Python
scripts with the yarapython
extension
Build your own Dynamic Analysis Laboratory
RENMnux
5.
A Linux Toolkit for ReverseEngineering
and Analyzing Malware
Emulate the Internet into your REMnux box
to identify network Behavior.
Prepare your machines to get infected.
Remember that sometimes malware
detects virtualized environments and gets
inhibited.
Time to decide:
¿Is your organization ready to block all the IP/Port/URL reported by malware researchers /
authorities / DFIR investigator?
¿How are you going to decide?
Determine the risk.
Determine the exposition.
Eval the personnel capabilities ¿Are they going to unzip and execute a password
protected file?. ¿How often train officials of your organization?
Build your blocked services/host assessment and register where were the block
performed.
[Post] Eval the success of the controls, use it to support your labor:
How many drops, which kind.
Determine source areas, classify it by criticality.
Determine user that tried to open the file multiple times. They need to be
trained.
Ramsonware, the latest menace. Triaging the ransomware, ¿what for?:
¿Which ransomware family have I been infected by?.
¿Is there any public service to decipher the encrypted files?
Confirm if there are compromised users and obtain all the possible information
related to the malware.
Isolate the machine. If a server, confirm if shared files have been affected and
accessed.
Verify shared folders.
Encrypted files aren't malware files, always try to obtain the source malware file.
Triage for Ransomware, ¿is it necessary?
Well, if you have listen about this threat, you know that the best practice is "Prevent, don't
react":
● Invest in security tools: AV / Antimalware.
● Create secure backups, and save them in external storage systems. Remember
backup your data in regular periods.
6.
● Educate the users in your organization, share and "spread the word"
But, just in case, this is the way we attend Ransomware Incidents:
1. Isolate the affected device.
2. Identify principal samples related to the malware:
a. Ransom Note
b. Sample Encrypted File
c. Originating malware
3. Identify the ransomware: https://idransomware.malwarehunterteam.com/
4. Analyze the most of the files, to be sure which type of ransomware has affected your
system.
5. Look for possible ransomware decrypting tools:
https://docs.google.com/spreadsheets/d/1TWS238xacAtofLKh1n5uTsdijWdCEsGIM
0Y0Hvmc5g/pubhtml#
6. Cross your fingers and check the tools.
7. Remember the red lines when we told you "Prevent, don't react"?, well maybe is time
to do it.
Resources:
● Scott J. Roberts, "Introduction to DFIR"
http://sroberts.github.io/2016/01/11/introductiontodfirthebeginning/
● Florian Roth @cyb3rops, Mosh @nyxbone et al, Ransomware Overview
https://docs.google.com/spreadsheets/d/1TWS238xacAtofLKh1n5uTsdijWdCEsGIM
0Y0Hvmc5g/pubhtml#
● Wendy Zamora, How to beat ransomware: Prevent, don't react
https://www.malwarebytes.org/articles/howtobeatransomwarepreventdontreact/
● REMnux® is a free Linux toolkit for assisting malware analysts with
reverseengineering malicious software https://remnux.org/