- Look for the infection vector. Was it web-based? Email-based? Some other means? Can information relating to the infection vector be used to harden the enterprise or otherwise improve the enterprise's security posture?
- Check anti-virus or host-based IDS/IPS logs. Was the threat detected and remediated by either of those? Could there have been more than one threat, one or more of which was perhaps not caught by either of those?
- Can a sample of the malicious code be isolated for analysis? Does analysis of the malicious code sample provide any information or intelligence (such as callbacks or other artifacts of intrusion) that can be fed back into the analysis process and/or used to harden the enterprise or otherwise improve the enterprise's security posture?
- Look for the artifacts of intrusion in the network traffic data. Does the network traffic data provide evidence that the malicious code successfully infected the machine?
- Based on the information gathered in steps 1-4, make an educated decision, rather than a happenstance decision, regarding remediation.
Sunday, March 25, 2012
Artifacts of Intrusion
As many of us in the network forensics/network traffic analysis field know, looking for the artifacts of infection/intrusion can often be much easier than catching the actual infection. Regardless of how one "latches on" to or otherwise becomes aware of an infected system, one should also take the time to perform due diligence in confirming that the system is indeed infected. Here are some points that can be helpful during this process: