Options

How does your Security Team handle possible viruses/malware?

DrovorDrovor Member Posts: 137
in Off-Topic
I'm curious how other employers handle this situation. In most cases, our Security Team will delegate to the Desktop Team to handle scans/clean up and report the findings back to them.
· Share on FacebookShare on Twitter

Comments

  • Options
    YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    I'll comment within the context of commodity malware, and not something more targeted.

    Workstation: The system gets isolated from the production network to buy time for investigation. If it's an interesting sample or something we don't see often, we'll acquire the drive for file system and registry analysis. Once we're done, it'll be released back to the desktop team for reimage. If we don't collect the drive, evidence and documentation will be built based on what we get via network-based logs and logging we can obtain from the host remotely - and the system will be reimaged immediately following network isolation.

    Server: Depending on the system and what the business has to say about it, this could go in 1,000 different directions. I've worked at companies where an 'owned' server could be removed from its cluster and rebuilt rather quickly. I have also worked for orgs who wouldn't allow for downtime of a compromised server and it was left up and "cleaned". In these cases we usually do our best to convince the org to rebuild the asset after investigation, but sometimes these decisions are made far above our pay grade.

    Honestly if a technical security team is doing anything other than thoroughly investigating possible malware, and recommending a reimage on confirmed malware hits, they are doing a disservice to the org.
    · Share on FacebookShare on Twitter
  • Options
    cyberguyprcyberguypr Mod Posts: 6,928 Mod
    I work in a somewhat big, very risk averse entity. We do not delegate any security functions to the Desktop Team. If a machine is suspected of being infected and the confidence level is low, we collect some initial artifacts to help guide the investigation. Since some hosts are not readily accessible, that machine gets quarantined through NAC to a dedicated forensics network. If compromise is identified, the host gets pulled off the network and the fun begins. If it's an obvious false positive, machine get released back to the user. For all inconclusive cases we securely wipe the drive and hand the asset over to Desktop for reimaging. Of course it helps having solid policies in place that dictate all user content on the local machine should be considered disposable.

    As YFZblu said, investigations are dynamic and not always set in stone. The actions to take by the responder evolve depending on the characteristics of each particular case. It's way more convoluted than this as we need to check SIEM and other systems to determine how widespread issues are, but hopefully it gives you an idea of the process.
    · Share on FacebookShare on Twitter
  • Options
    elToritoelTorito Member Posts: 102
    In the case of an outbreak (say, a cryptolocker virus running rampant), there's often no time to be delegating tasks. At our place, when a major security incident happens, the team of senior admins takes control. The only other person the senior admins will be talking to is the security officer. The security officer, in turn, takes care of communication with management, the business and 1st/2nd line support teams. This allows the admins to do their job properly and efficiently.

    It's the senior team's responsibility to get answers to a few questions as quickly as possible:

    1. What's the scope of the outbreak? Just a few users, or users all over the organization?
    2. Can we get a profile on the specific threat (where did it come from, what is the malware targeting)
    3. Does the outbreak warrant shutting down specific parts of the infrastructure, or blocking all network traffic going in and out of the perimeter firewall? The aim will be to prevent further damage, thus allowing more time to investigate the incident properly

    After stopping futher spread or proliferation of the threat, the fun part begins. Identifying the exact source of the threat. Obtaining a copy of the virus for analysis in a sandbox environment. Engaging the antivirus vendor's support team to obtain updated signatures for the specific variant of the malware. Gauging the extent of the damage caused. Finding indicators of the malware's handiwork and - through tooling or scripting - identify the data that was affected. Deciding whether data needs to be recovered from backup and engaging the business as to how much data loss they can expect. Remediating or completely wiping infected systems. And so on.

    Luckily, if you implement multiple layers of defense in your organization, and on top of that keep the level of security awareness at a decent level through end user instruction, the chances of something major happening are very slim. But if something does happen, you need to be prepared. If you are part of the team responsible for security, never underestimate a threat. If given a choice of letting the desktop team investigate a seemingly innocent incident or taking charge yourself, always opt for the latter.
    WIP: CISSP, MCSE Server Infrastructure
    Casual reading:     CCNP, Windows Sysinternals Administrator's Reference, Network Warrior


    · Share on FacebookShare on Twitter
  • Options
    DrovorDrovor Member Posts: 137
    Thank you guys for your comments. I have to say our team is rather lax compared to what you guys are describing. From what I can tell though we are a much smaller operation. Would be great if they could take more of a lead role to get a better understanding of what is being reported and hopefully be able to fix the vulnerabilities.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.