RANSOMWARE INFECTION PROTECTION

MULTIPLE SIMULTANENOUS LOGIN

UNAUTHORIZED DOMAIN ADMIN ACCESS
MALWARE INFECTIONS

THE PLAYBOOK
Once the incident is identified, quarantine the affected device and perform the
mitigation actions aligned with the organizations’ best practices. In response to an
alert about suspected malware, the following workflow kicks off.
1. Get md5 and name of the suspect file and send it to a known malware
database (Like VirusTotal).
a. If the md5 and file name matches known malware, jump to step 3.

2. Get the file and send it to sandbox for analysis.

a. If the result of the sandbox confirms the infected file’s ability to communicate
laterally or externally, jump to step 2c.

b. Jump to step 3.

c. Move the computer to an isolated vLAN.

d. Update the end user that his computer was infected and is under investigation.

e. Search reputation DB for the destination IP. *If the destination IP is a known
malware or threat source, update the ACL to block any future connections to this  
destination.

3. Scan all the computers on the networks (plus the isolated one) for the files and
process from step 2.

4. Search SIEM (or end systems if no SIEM Available) for other potential servers that
might have made contact to or communicated with the threat source identified in 2e.

5. If additional computers are found with the files, perform steps 2c – 2d for each
infected computer.

6. Update antivirus software block file list with the filename and md5 to block any
future attacks.

7. Update monitor list to include connection to the destination IP identified in step 2e

in case of a dormant malware waking up to affect additional systems in the future.

8. Kill the malware process matched in step 3 as part of the remediation actions.)

9. Delete the files matched in step 3 as part of the remediation actions.

10. Make sure that no new connections to the destination IP were established from the
isolated computers in the identified vLAN.

a. If no new connection started after step 8, add the computer back to the
organization’s network and update the users that they can now return to their normal
work.

b. If new connection started:

     1. If from computer in the isolated vLAN, check which process started the
connection and kill it and return to step 10.

     2. If from computer not in the isolated vLAN, move the computer to isolated
vLAN and jump back to step 8.

11. Search in the SIEM (or end systems if no SIEM Available) for first match of the
file name and log it as source for reporting and documenting purposes.

12. Create a list of users whose systems were affected by the malware in step 3.

13. Create the report that contains:

 Malware file name.

 Malware md5.
 Malware starting process.
 Actions taken (step 2c-2e, i, 6-9).
 List of infected computers (Step 3,5).
 End communication (step 2e if exists).
 List of all users infected by the malware (step 12).
 Report: As identified in step 13.
 Verification: As shown above in steps 1-4.
 Human in the loop gathering information: Step 1-5, 11-12.
 Actions: 2c-2e, 6-9.
 Examples of IOA include / Use case of Indicators of Attack
 Advance Persistence Threats
 Remote Command Execution
 DNS Tunneling
 Fast Flux DNS
 Beaconing Attempt
 Post Scanning
 Communication to Command and Control
 Remote Code Execution
 CnC Heartbeat Detection
 Watering Hole Attack
 Data Ex-filtration
 

Examples of IOC include / Use cases of Indicators of Compromises

 Abnormal network traffic
 Unique traffic to some domain
 Abnormal privileged user account activity
 Login deviation
 Abnormal number of read request in database
 Suspicious registry or system file changes
 Suspicious DNS requests and Web traffic showing non-human behavior
 Internal system continuously requesting for malicious domains
 Internal machine or IP communication to external domains or host on non-standard ports
 Internal host getting flagged in distinct threat Indicator (Policies)
 Land Speed violation (Account is trying to login from different location)
 Abnormal Spike in User Behavior
 Abnormal Traffic to Un-categorized Proxy Events
 Volumetric Traffic Anomaly – Network Flow
 Spike in anomalous – Connections (Internal or Externals)
 Rare behavior – non-legitimate website accessed
 Abnormal volume of packet transferred
10 Indicators of attack (IoA’s)
The following most common attack activities could have been used,
individually or in combination, to diagnose an active attack:

1) Internal hosts with bad destinations

Internal hosts communicating with known bad destinations or to a foreign

country where you don’t conduct business.

Example of HP ArcSight Dashboard that shows client’s hosts communicating

with Feeds(IP, Domain, Url) from “ransomwaretracker.abuse.ch” website.

[Ransomware Hunter is available as free a free package included at HPE

Protect724 from  SOC Prime]
Example of Global Threat Intelligence from McAfee

2) Internal hosts with non-standard ports

Internal hosts communicating to external hosts using non-standard ports or

protocol/port mismatches, such as sending command shells (SSH) rather
than HTTP, HTTPS traffic over port 80,443, the default web port.

Example of Internal Host using 21(FTP), 445(SMB), 137(NETBIOS-NS),

135(RPC) to Internet

3) Public Servers/DMZ to Internal hosts

Publically servers or demilitarized zone (DMZ) hosts communicating to

internal hosts. This allows leapfrogging from the outside to the inside and
back, permitting data exfiltration and remote access to assets such as
RDP(Remote Desktop Protocol), Radmin, SSH.
Example of a Report that monitor Top 10 Traffic from “DMZ” zone to
“Internal/Client” Zone.

From this report, Security Analyst should investigate to Highlighted Servers

that communicating to Internal hosts via RDP(TCP/3389), SSH(TCP/22)

4) Off-hour Malware Detection

Alerts that occur outside standard business operating hours (at night or on
weekends) could signal a compromised host.

Example of IPS alerts on non-working time (Holiday)

5) Network scans by internal hosts

Network scans by internal hosts communicating with multiple hosts in a short

time frame, which could reveal an attacker moving laterally within the network.

These incidents detect from Perimeter network defenses such as firewall and
IPS. You must choose Zone/Interface from “Internal” to “Internal” only. For
Future, you should focus form “Internal” to “DMZ” too. It may be “Insider
Threat” or “Compromise hosts” that they need more information from your
networks (Reconnaissance)
Example of Network Scans Report that filters from “Internal” to “Internal” zone

6) Multiple alarm events from a single host

Multiple alarm events from a single host or duplicate events across multiple
machines in the same subnet over a 24-hour period, such as repeated
authentication failures. THIS IS COMMON USE CASE.

Example Dashboard that monitoring “User Login Failures” from Single Hosts

Note: some login failed events form e-mail applications on mobile phones can
generate events more 500 events/minute. I found this case when the
password of a user account is expired but they have not changed the new
password on their devices.
7) The system is reinfected with malware

After Infected host is cleaned, a system is reinfected with malware within 5-10
minutes, repeated reinfections signal the presence of a rootkit or persistent
compromise. This incident may detect from Endpoint Security Protection or
Anti Virus events.

This is Example Maleware Dashboard.

Detection: You must create at least 3 rules on SIEM follow as

1. The rule alert when it found infected host then “Add To” Current Infected
Hosts List and Historical Infected Hosts List (Store at least 1 week)
2. The rule alert when malware is cleaned from infected Host then “Remove To”
Current Infected Hosts List
3. The rule alert when it found an infected host that is “Historical Infected Hosts
List” within specific time range. THAT SYSTEMs SHOULD
SCAN/INVESTIGATE MALWARE AGAIN!!!
8. Multiple Login from different regions

A user account trying to login to multiple resources within a few minutes

from/to different region. This is a sign that the user’s credentials have been
stolen or that a user is up to mischief.

Example of Correlated rule that Ideal solutions may vary based on your network
conditions and security policy.

This rule detects from an event in the “Login” normalization category, with an
Event Outcome equal “Success” with multiple Source Geo-locations, within a
specified Time Range and Events are grouped by Source User.

9. Internal hosts use much SMTP

E-Mail Protocol such as SMTP (Simple Mail Transfer Protocol), POP3 or

IMAP4 should be monitoring. Some malware will use this port to send
information to Suspicious or Hacker’s server.
Example of Infected client that use SMTP(TCP/25)

10. Internal hosts many queries to External/Internal DNS

Many organization has Internal DNS servers for caching records and serve
DNS service to internal hosts. DHCP configuration is defined as Primary DNS
Server to Internal DNS server. If you found that some internal hosts query to
External DNS such as 8.8.8.8, 8.8.4.4 (Google DNS), you should try scan
malware on that clients.
Some Incidents found that the internal host query many requests to the
internal DNS server (> 1,000 events/hour)