How do you detect where a virus came from?

jahazieljahaziel Member Posts: 175
How do you detect where a virus came from? Basically, What tools can I use to detect the orgin of the virus?

Comments

  • buhuskybuhusky Member Posts: 12 ■■■□□□□□□□
    You don't need tools, the answer is easy - the Internet, unless your roommate is a coder.
  • 5ekurity5ekurity Member Posts: 346 ■■■□□□□□□□
    Are you talking about in the context of who actually 'wrote' the virus? Or the attack vector by which someone was infected?
  • jahazieljahaziel Member Posts: 175
    I mean the way the person got affected. By email or through a download. My company wants me to track this down for them.
  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,309 ■■■■■■■■■□
    Look at the timestamp of the file and look at the user's internet and email logs for the 30 minutes prior would be a good place to start.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
  • SaSkillerSaSkiller OSWP, GPEN, GWAPT, GCIH Member Posts: 337 ■■■□□□□□□□
    First question of IT. "What changed?" ask hte user what they did immediately before the detection if it was a host based detection, if it was network based, then look at your timestamps and ask the same question. The capability to detect the method of transmission is determined by the threat, and the tools you have availible.

    For instance, we see things like cryptowall or other randsomware. Historically we know that it is primarily distributed via email or via exploit kits. If you start seeing IDS phone home alerts from out of nowhere, then chances are it came in from personal or work email (If it had been EK, you would expect to see detection of the landing page/and or exploit/malware download). If the user has adware or other software on the system, then you should consider that they downloaded a trojan. they installed something that brought a friend with it. ect.
    OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,917 Mod
    The question is, what tools do you have in place? Proxy, email, host logs, antivirus, any centralized logging a la syslog, Splunk, etc.? Some places don't log crap and expect detailed reports of attack vectors and whatnot.
Sign In or Register to comment.