Welcome to part 3 of this mini series, dealing with malicious emails. Written for aspiring cyber security analysts to give some insight into the thought processes and day to day life of an analyst without getting too technical.
In the previous post (To be a Cyber Security Analyst – Emails part 2 ) I talked about how I react to malicious emails sent to my network that contain malicious links or URL’s. In this post I will talk about reacting to a malicious email campaign that contains malware or virus’ in the form of attachments.
So as before, I am searching for the shortest path to being able to say, “we are protected against this attack” And as before, being able to make this statement depends on answering a few questions. Each of which I will go into in more detail shortly…
- How many users have received emails with the malicious attachments?
- How many different versions of the malware is there?
- Does our antivirus protect us from some or all of this malware.
- If not, can we determine if the unprotected malware has been executed on the users machines?
- If executed, what is the impact, and has this allowed the malware to spread further across the network.
The order of these questions is set out to try and end the incident as quickly as possible so that I can move onto the next incident. Time is precious! And so I will not start looking into potential impacts of malware detected before I know if we are protected against it or not. Because frankly, if we are protected against a piece of malware, I don’t care what it does.
So lets look deeper into each of the questions set out above…
How many users, how many versions.
When determining how many users have received the email and how many different versions of the malware is attached, I use a lot of the same tactics I set out in my previous post (To be a Cyber Security Analyst – Emails ). This includes but is not limited to…
- Searching by the sender and/or sender domain
- Searching by subject line (in part of in full)
- Searching by patterns noticed in subject lines
- Searching using the SHA256 (unique fingerprint) of the attachment
- Searching using the attachment name (in part or in full)
- Searching using patterns noticed in attachment names.
- Using open source intelligence (posts on the net) to find out about other versions of this malware.
Note: What do I mean by other versions? If I create malware that tells your computer to connect to my server on the internet, that can be one version of a piece of malware I create. Now what if I create the exact same piece of malware but it tells your computer to connect to a different server on the internet? Well that will have a completely different SHA256 fingerprint even though it does essentially the same thing.
In fact, some malware will have random strings (lines of text) coded into them, that change each time the malware is reproduced. And even a single letter that is different will create a completely different SHA256 fingerprint. So when I talk about different versions, I am typically talking about the same piece of malware but with similar or exactly the same behaviors.
Ok back to the topic, using the methods listed above, we now have a list of users that have received the malware, and the different versions of the malware that they have received.
Are we protected?
Always use protection! Now we have our list of different versions of the malware we have received, we can use this list to cross reference which of these our antivirus is already aware of. If all of the computers in our network have Norton Antivirus for example, and I have malware version A, B and C, I can check which of these Norton is already aware of, and protecting against.
Lets say for our example, that our antivirus is already aware of versions A and B, but is completely unaware of version C. My first mitigating action here would be to inform Norton of this new version of the malware, so they can push out an update as soon as possible. (By the way, this stage also represents our first chance to shut this incident down early, if we are protected against all versions of the malware, there is no risk to our network).
Has the malware been executed?
So we know one version of the malware is currently unprotected against. We have informed our antivirus vendor of the new version, but in the meantime, we need to determine if some maniac has gone ahead and executed the malware. There are a couple of options to determine this depending on what tools you have available on your network. Some networks will give you the ability to see what files have been executed on each computer, and this makes this stage very easy, but lets say for our example we don’t have this ability. The next possible action we can do is look for IOC’s
An IOC is an Indicator of Compromise. Something you can look for that tells you that you have been infected. If your screen goes red with a big skull and crossbones and a message appears saying “pay money into this bitcoin wallet or your files will be encrypted forever”… thats a pretty big IOC.
Most malware though does its thing in the background, and so we need to look for clues to tell us which computers have been infected. So, we know version C is the one we need to worry about. I would look online to see if there is already some intel on this version. Lets say for our example I find some analysis someone else has already carried out, and from this analysis I can see the malware connects to an IP address out on the internet. Great, this connection is now an IOC, and I can search all the outbound internet connections through my firewall to see if anyone has connected to this IP address. If anyone has, Bingo, there’s a pretty good chance they have executed the malware (unless the IP address is also used for other, less malicious, activities.
If this intelligence hadn’t already been available online, I would have needed to try and obtain a sample of the malware and carry out some analysis myself but that is a post for another day.
Has it spread? Whats the damage?
Lets assume for our example that we did detect someone connecting to the IP address we found in the intel from the web. And lets also assume that this IP address is not shared by some legitimate content. We now have one probable (I would just assume definite) infected user. So at this point we need to know, what is the damage?
As far as spreading across the network goes, we would hope we would find this information out in the analysis we found online, or in the analysis we carried out ourselves. But on top of this, we can continue to monitor connections to the malicious IP address (usually using dashboards, like an ongoing live search which shows us in real time if some activity is seen). In addition, I would usually look very closely at the network logs for this user to see if anything suspicious was going on.
So what is the damage? Most malware is aimed at stealing something or gaining access to something, and so in the case that the intent of the malware isn’t already obvious from the online intel, you can use tools such as Wireshark (think phone tapping but for networks) to see what information is sent out when executing the malware in a protected sandbox environment. Sometimes it can be a keylogger, gathering all keystrokes for a set amount of time before sending them to the attacker, sometime’s it’s information about the computer you are using, such as your IP address, what services you are running etc, which is usually a prelude to a further attack. In one case I saw malware that waited until the user accessed one of many banking sites and then sent the keystrokes used on that site.
In reality, most decent sized SOC’s (Security Operation Centers) will have a dedicated digital forensics team. In the event I was unsure what a piece of malware was doing on a computer, and if it had installed further malware to try and persist once the original malware was deleted, I would escalate to my digital forensics team.
Hopefully I’ve covered everything, without getting too technical and giving a good overview of the general thought process behind what to do when receiving one or many malicious emails. As I mentioned in the introduction I really wrote this to give an insight into the day to day life of a security analyst for those wanting to get into the cyber security industry. Please leave any questions in the comments section and I will answer ASAP.