Ransomware is still demand. If the infection has already happened, the analyst must be able to analyze the incident backwards as well as forwards. The risk analysis makes it clear,
- how the infection happened,
- whether it can repeat itself and
- if it's going to spread across the network.
This allows the immediate measures to be defined - minutes can make all the difference when an attack is running. Tracking the attack on the timeline is a basic skill of the analyst.
Requirements for Analysis in the SOC
As soon as the incident is known, the analyst begins the analysis. The runbooks that an SOC has developed for various scenarios play an important role here. The analyst's experience should not be underestimated. For an efficient investigation, the analyst should also know the structure of the environment. This requires that Managed SOC customers are in close and open contact with their service provider. And, of course, that the log sources for SIEM have been selected correctly.
For an incident with executed malware, it is best to have the records of an endpoint monitoring (e.g. Sysmon). This allows the analyst to accurately track which actions were performed on the affected system.
What happened?
The example shows that a Word document with macros and a VBScript interpreter were started in the time window of the infection. Endpoint monitoring also shows where the data was stored. It would be best if the data were still stored in the location where the analyst can copy it to himself and thus reverse engineer the malware.
This will not work in the scenario shown, since the data here came from a removable drive. The analyst must use other data sources to understand how the malware behaved on the infected machine. In the case of removable drives (e.g. USB sticks), the question also arises as to who brought it with them and where it was used everywhere. This is because the infection can spread easily if the stick is still in circulation and used.
Immediate measures
How can the use of this USB stick be traced? This may be something that is not recorded out of the box by endpoint monitoring. This requires the analyst's creativity: what one source of log data can't provide may be found in another source. What is the case in this example: The systems record write accesses to the Windows registry and deliver them to the SIEM.
Through in-depth knowledge of Windows, the analyst knows which write accesses occur when using a USB stick in the registry and can thus find out which label (and possibly which serial number) the stick had.
By evaluating the registry write accesses on all systems of the company, the analyst can quickly find out whether the stick was also used on other computers. This also results in the first immediate measure: Someone on site can check on the affected computers whether they are also infected and, if necessary, take them out of operation. As a further measure, the analyst can set up a new alarm in the SIEM, which is triggered as soon as the USB stick is used again.
Analyst skills in the SOC
In summary, the following skills were required for the analysis shown here:
- Being able to map the incident on the timeline
- Maintaining open contact with the customer
- Creative thinking
- In-depth knowledge of operating systems
- Correct advice for the selection of meaningful data sources
To be continued...
In the 2nd episode of our season you will learn how to proceed after the analysis.