When a crime has been committed, we know from watching countless television shows and movies to “not touch a thing” or not to “contaminate the scene.” And yet, when a cybercriminal has infiltrated a corporate network, IT administrators and even executives believe the only objective is to get the bad actor out of the perimeter. They forget in the heat of defending the network that they may actually be “trampling” on evidence or disposing of it completely. The logs and analyses they perform before eradicating malware may be invaluable for the future cyber-defenses of the company, the collective intelligence of the cybersecurity community, and perhaps even the courts.
It’s paramount for IT administrators to be methodical in building a base for a more in-depth forensic investigation of the crime.
In the Heat of the Moment
IT administrators instinctively swing into action to eradicate malware infections. Typically, immediately after discovery of the malware that has infected a network, a harried IT department staff member or junior cybersecurity professional wipes the servers and workstations. Job done, the company is saved.
In fact, most malware has existed on servers for months, if not years, before IT administrators discover the break-in. Information Security Magazine cites that hackers operate inside networks an average 200 days before discovery. So another day or two of observation of the malware, diagnostics of its behavior, and detailed documentation of findings will be far more beneficial for the organization and greater cybersecurity community than outright eradication of the infection.
Network administrators already know that 24/7 logs record individual commands and responses that pass through the network. Workstations also maintain logs, which may or may not be copied to a central storage facility. In any event, important evidence of the intrusion may be wiped away, possibly for good. The wholesale wipe could actually set back the organization’s cybersecurity defenses by months, if not years. Later, if the company is indeed aware of who committed the break-in, it may find it difficult to bring a case to court without forensic evidence to back it up. It may also delay the cybersecurity community’s attempt to map the ever-changing threat landscape.
Organizations of every size are well-advised to understand the implications of a network infestation may actually be global. So, long before the hint of a cyberattack, businesses need to put in place long-term measures and policies that help them and cybersecurity professionals continually improve network defenses.
Measure Twice, Cut Once
Tailors have a saying that refers to the cloth they use to make garments for customers: “Measure Twice, Cut Once.” For them, without being exactly sure of the measurements of clientele, they may create an unwearable suit of clothes, and, worse, destroy a bolt of expensive fabric. Tailors know there is no recovering either their product or the cloth they had used. IT departments need to think the same way about conducting cybersecurity cleanup: once they’ve eradicated malware from the network, there’s no returning to the scene of the crime to reconstruct the incident.
IT departments need to:
- Create an Incident Response Plan
- Find and Log Intrusion Behavior
- Document Document Document
- Contain the Contagion
- Conduct Post-mortem
Create an Incident Response Plan
The Incident Responder’s Field Guide suggests several elements in an IR Plan:
- Keep It Simple – create a well-segmented, clearly written Plan with every section easily accessible
- Detail Roles and Responsibilities – eliminate inevitable confusion of who is supposed to do what in the heat of discovery, defense, and eradication
- Eliminate Silos – include heads of non-technical departments to develop the Plan
- Provide Guidance on Incident Categories – not every incident is created equal: identify priorities
- Align the IR Plan with Corporate Objectives – the end of a cybersecurity exercise should dovetail with results that support the organization’s goals
- Practice simulated network attacks with relevant IT representatives and business line managers
Find and Log Intrusion Behavior
Hopefully, the IT department has completed the work on the Incident Response Plan before the organization has come under attack from hackers. Once the attack begins, the knee-jerk reaction for the uninitiated is to completely shut down the network. This is the worse thing companies can do, however, for several reasons:
- The hacker then knows cybersecurity is on to them
- Rolling operating environments back may delete the trail the malware took from point of entry until its discovery
- Defensive measures may actually not have destroyed the malware
Instead, IT admins will want to apply SIEM software to monitor and track the activities of the malware. Security Information and Event Management (SIEM) software combine and analyze activity from many different resources across the enterprise network. It collects security data from network devices, servers, domain controllers, and more. Document the findings and interpretations of malware activity at every step of the analysis.
Document Document Document
It is not enough to keep the logs intact once the malware infestation has been discovered. Cybersecurity professionals need to do some analysis to establish a timeline that begins with when the malware was dropped into the network. Build the timeline with the network logs, looking for signatures as the payload released its malicious package. Then follow the path the virus took as it wound its way through routers and past servers and lay in wait on workstations.
It’s through thorough documentation that cyber sleuths will gains insights into the pathology of the infection, and hopefully discover the point of origin: was it a phishing email that an unwitting user opened during work hours; or was it a home computer on which an employee was working on a company report, whose kids also use to play games on malicious websites; or was it a mobile phone permitted under the organization’s BYOD (Bring-Your-Own-Device) program for which the device owner has administrative access to the corporate network?
Documentation is the only way to see and establish the patterns that will protect the network after the full shutdown and reinstallation of operating systems and software applications across the infection zone. Further, in the event the company knows who perpetrated the cybercrime, the documentation will be invaluable in helping bring the criminals to justice.
Contain the Contagion
But before IT administrators shut down the network and reinitialize systems, create a space on a virtual machine (VM) and copy the malware over to it. It’s the same kind of approach epidemiologists take when they’ve discovered a disease that has struck a community. They need the sample to compare against other strains of the virus, to see if there is already a cure, how quickly it may have already spread, and just how deadly it may be. They share their findings with others in the medical community to learn what they know and to have others work on understanding its origins and pathology. Malware, once snared, needs to be treated the same way.
The defenses of hundreds of antivirus programs rely on analyzing and publicizing the discovery. However, to help other companies route out strains of the malware from their networks and innoculate against future infection, the cybersecurity community needs access to the detailed documentation and a “live” sample of the malware.
Conduct a Post-Mortem
After network administrators have reincarnated the network with fresh operating software and applications, it’s time to dissect the findings to date. IT leadership, cybersecurity professionals, and business unit leads need to walk through the timelines, mappings, and pathology of malware behavior. The objective of the meeting should be to come out with a plan to prevent the incident from occurring again. It’s also a good time to refine the Incident Response Plan.
Nowadays, like a multitude of crimes, network breaches are a daily occurrence. IT departments need to think like real-life detectives at the scene of a crime to best service the enterprise, its staff, and the wider community of cybersecurity professionals dedicated to protecting society against malicious intent.