During security incidents due to malware infections, it is required to act fast and identify the malware behavior and take actions. However analyzing malware may takes time ,especially if considering that antiviruses cannot detect new well-crafted malwares.
To quickly analyses a suspicious file to identify if it a malware or not and understand its behavior, the following quick actions can be taken
A new research by GData Software researchers, Identified a C&C server for a botnet hidden in TOR network.
Their blog is excellent where they described the 2 C&C traffic medias are being used by Botnets and the new media using TOR. I highly recommend reading it and establish an approach to detect and stop such traffic.
Always remober because you are responsible for an evidence, it means you have to show "chain of custody" by following proper procedure and protect the integrity of an evidence all the way to its dispostion.
remote offices of company "X" in another GCC state "H" got infected
Service provider "A" managing the remote office became infected
Same Service provider "A" managing few of the GCC state "H" government entities became infected then infect other gov entities.
Of course it will be a chain of infections and network shutdowns.
Seems crazy, but think about it as if you are another state has serious issues with GCC and you already has the technology, the skills and the code. if you can do it 2 times then hardly you will be stopped.
Answer: It is RASGas in Qatar whom has experienced virus outbreak, the computers network has been taken off for 3 days ,so far, by unknown virus. but let me guess, it can be shamoon or one of his cousins.
ARAMCO at KSA, RASGas at Qatar, will UAE be the next ? specially with remote offices around the GCC ?
Making Life Difficult for Malware is presentation by Jarno Niemelä from F-Secure, it is very practical and i highly recommend it.
Jarno listed recommendations based on a research of the behavior data of ~750000 known malware. Most of the recommendations cost zero dollar and can be implemented easily by any type of organizations using minimal resources.
Shamoon is striking in the middle east, it is attacking oil and gas companies, one Saudi company was the first, others most probable in the queue and there is a potential for other types of orgnizations to be attacked, it is matter of time.
Short Term (The foundation): For IT employees
All must be non administrators.
Use Remote Access Server between the IT network and servers at Data Center.
Always use "rus as administrator" and stop login as administrator for day to day support, operations or tasks.
Reset all admins passwords for servers,applications,databases network and security devices.
Never use default passwords or top worst passwords.
No shared accounts or passwords.
For non IT employees and desktop/laptops
Reduce the user privileges if any has an administrator access.
Block the removable storage if no device control in place.
If device control in place, stop all executable file.
Proxy or content filtering
Block the download of executable files, inf, bin, dll, conf and config.
Block access to network related to botnets, C&C and suspicious web servers.
Use VLANs to segregate network based on floor or department or business unit.
Implement a separate isolated IT management. same applied to mission critical infrastructure.
Remote users using VPN
Allow remote users to access certain resources , stop IP Any Any rules.
Only allow remote offices to access the resources they need, stop IP Any Any rules.
Install any open source log collection.
Establish daily monitoring and analyzing security logs.
Long term (must be business risk based)
Implement SIEM solution.
Implement device control solution.
Implement two factor authentication solution for servers, network devices and critical infrastructure.
Implement network monitoring and forensics solution.
Implement Malware network analysis solution.
Establish a process to analyze, identify and detect attacks and shall be integrated into a security incident process , NIST computer incident guide can be used.
Establish Cyber Security Intelligence framework.
Time is ticking, they are advanced and using unique techniques, but you can make their attacks fail if proper security controls in place.
Stuxnet, Guass, Flamer, other malicious
codes and unknown malware attacking organizations of all types, some we knew
about and some we do not. But who is the next organization.
Today where threats are more advanced
and ahead of protection technologies and methodologies each organization has to
build some kind of Cyber Security Intelligence capability to stop or at least detect
(in near real time) advanced threats attacking the organization.
Building effective Cyber Security
Intelligence, first organizations must have a working risk management process
and once Cyber Security Intelligence is established then it must be integrated
in the risk management process.
Risk management will help
identifying the Cyber Security Intelligence framework that can meet your
organization business requirements and protect valuable assets.
So what can a Cyber Security Intelligence
framework consists of? The following lists the components of the framework; it
is not a full list but can be used as starting point
security monitoring, alerting and reporting infrastructure.
a security analysis procedure.
non published cyber security information procedure
The Samurai Web Testing Framework is a live Linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test. http://sourceforge.net/projects/samurai/
Free Computer Science courses with Khan Academy
Khan Academy is a free online learning resource with more than 3000 educational videos. Everyone is welcome to join any course or lesson on the site.
Improve your Web Pen-Test Application skills using a free, open source web application provided to allow security enthusiast to pen-test a web application. NOWASP (Mutillidae) can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to administrate a web server. It is already installed on Samurai WTF and Rapid7 Metasploitable-2 http://sourceforge.net/projects/mutillidae/
Have you ever thought about doing external penetration testing and but no budget available.
I suggest the following free online tools to determine how is your organization security. these online tools give you basic assessment and you need to do in depth penetration testing to make sure no security weaknesses can allow hackers into your network
As incident responder, you have to know how to conduct memory forensics .
All over the internet you can find many excellent articles, here I will list these articles in order to help new incident responders understanding and building memory forensics skills using volatility tool.
In IT field, everyone is busy and forget about checking IT infrastructure security, by spending almost one hour daily, IT or security administrators will be able to prevent intrusions or at least detect them before it is too late.
All you need is to have reports generated from security tools in place for example antivirus, proxy, content filter, intrustion prevention systems, etc.. what about firewalls, if no log and reporting tool in place splunk (freeware) or OSSIM (opensource) can be used to generate required reports.
Addition to reports, you have to subscribe to one or more security alerts and news letters.
So how can we spend that hour daily ? simply the following can be done
Based on Antivirus reports
Review the top 5 infected computers
Review the top 5 viruses infections
Based IPS/IDS reports
Review IPS/IDS report top 5 source of attacks
Review IPS/IDS REPORT top 5 targets of attacks
Based on Proxy or content filtering reports
Review top 5 visited web sites
Review web links visited during non working hours or during week ends
Review suspicious web links.
Based on Firewall ports
Review top 5 blocked ports
Review top 5 blocked internal IP addresses
Review accessed external ports (UDP/TCP)
Search pastebin.com for posted information about your entity
Search zon-h.org for unknown web defacement happened to your web server
Review security news letters and alerts
Soon i will add more details about what to look for and how to identify possible or potentail intrusions or weaknesses.