With malware, it is important to know what connections it has established over the network. If it has attacked other systems on the network, it must be detected. And of course it must also be possible to evaluate whether data has been uploaded or downloaded to the Internet. There are many ways to get there - what will be available in most environments are firewall, proxy or packet capturing logs.
Image: Network connections opened by the infected computer
This is where the analyst's know-how comes into play again: he must be able to distinguish between the requests that are noise (requests that arise from normal operation) and those that were executed by the ransomware. In this scenario, the analyst quickly realizes that the queries for a particular domain and IP address are not part of normal operation and are therefore related to the ransomware.
What are artifacts and what do you do with them?
The domain and IP address found are artifacts. So to speak a remnant in the log data, which was created by the Ransomware. For the analyst such artifacts are important for three reasons:
- He can verify whether other systems have also connected to these systems. If other systems have made such requests, it must be assumed that the infection has spread.
- An alarm can be set up that triggers as soon as the artifacts are seen on other systems. This allows you to react quickly to a spread.
- The artifacts also allow you to find out if anything is already known about the Ransomware.
Benefits of Threat Intelligence Service
Especially the last point is interesting: Different sources collect analyses of malware and provide the artifacts and evaluations. In the context of these sources, the artifacts are then called Indicator of Compromise (IOC). For an analyst, the work is so much easier because he does not have to reinvent the wheel. terreActive's Threat Intelligence Service offers a feed that aggregates sources such as Kaspersky and others and makes them available to the customer as an easily maintainable bundle. This service also incorporates the findings from the SOC's activities. This is a further advantage, as specific results from Switzerland are taken into account and stored.
In our example, the infection could have been detected much earlier if a threat feed had already been integrated into SIEM: Then, when the first IOCs became visible in the logs. And not only after the Ransomware has already encrypted the data.
Sometimes, however, besides a threat intelligence feed, simpler sources such as a search engine are also sufficient: In the case of widespread attacks, a search for artifacts quickly leads to sources that describe the threat in more detail. If you don't find any clues, this can be a sign that you were one of the first victims of the attack or that it was built specifically for certain targets. All these sources (both specialized and generic) provide the analyst with a basis for further analysis, as he can compare the information found with the situation at the client's site. This scenario shows the Cerber Ransomware, for which a lot of documentation can be found in different sources.
Now only an evaluation of HTTP accesses was shown. In practice, many other sources are also relevant: Using firewall logs, the analyst can find out whether the ransomware has tried to access file servers or other workstations, for example. Depending on the data found, it may be advisable to extend the analysis to servers.
Depending on the situation, the analyst will continue to work in one way or another. In the next article we will show you what becomes important after the analysis has been completed.
Analyst skills in the SOC
In summary, the following skills are required for this phase of an analysis:
- Malware experience
- distinguish between noise and relevant data
- Good knowledge in dealing with network protocols
- Know-how in the evaluation of artefacts
- Access Threat Intelligence feeds and other sources
To be continued ...
In the third and last episode you will find out how the story ends.