- Does the organization suspect they already have malware? If so, what evidence supports that?
- Have staff members received suspicious communications, like emails or IMs?
- Based on the context research and the organization's activities, how likely are targeted attacks?
- How much time should be devoted to more complete analysis during the audit itself, and what other factors change that?
- What are the implications of targeted malware for the organization, and for the current assessment process?
- What types of malware should trigger an incident response approach?
- For engagements with high levels of potential threats, the auditor should conduct a more comprehensive Adversary Capability Assessment - based on the the technical context research work. Are there Advanced Persistent Threats which should be taken into account? How do they operate? Are there known indicators of compromise to look for?
- An agreement on capturing data in infected devices should be signed with the organization before this step.
- The auditor should ensure they have a clear understanding set with the organization on an incidence response plan, points of contact, and process to allow for safe discussions.
- Dealing with malicious software is risky, you have to be aware of the threats around it, don’t infect yourself or more machines.
- Don't upload files to third party services (use hashes). Take extreme care with identifying or potentially targeted information.
- Use VPNs or Tor to search if conducting the search from a country that is highly competitive with the organization’s country, or is known to surveil.
- For severe infections or incidents, the auditor and the organization may agree, through the Incident Response Plan, to clean or reformat critical devices. This is extremely time consuming, and may result in the loss of data, critical programs where the installation media/license has been lost, and potential re-infection. Proceed with extreme caution and clarity.
- Knowledge of spotting malicious elements, scanning machines and cleaning them
- Ability to do initial malware research safely
- Ability to image a machine and practice good digital forensics and evidence capture processes (see the Evidence Capture Activity)
- Contacts with malware analysis experts for more in depth investigation
Due to the limited window of time, the auditor should focus on identifying suspicious activities and triaging them rapidly. Many of these will be false positives related to other non-malicious software causing the machine to "act weird" or other types of less serious (and non-targeted) malicious software like adware or ransomware.
When this cannot be ruled out, collecting evidence, running basic research and analysis, and assessing the risk and impact against organizational priorities will help prioritize further action. In-depth binary analysis is best kept for post-audit work during the reporting and follow-up phases. If critical assets are compromised, the auditor might need to coordinate urgent mitigation measures with other IT experts.
Time management is extremely crucial when responding to potential malware infections and similar more advanced threats. If using this method, the auditor should constantly question whether to continue this process or complete other aspects of their audit plan. At the end of the audit process, not having an understanding of the organization's risk tolerance, existing capacity, current practices/processes/policies and existing informational assets will undermine the auditor's ability to provide a prioritized report or understand the context around the potentially malicious activity they have uncovered.
The main outputs of advanced threats identification should be evidence like files, emails, screenshots and URLs included in messages or spotted in suspicious connections.
- Guide: "Digital First Aid Kit: My Device Is Acting Suspiciously"
- Guide: "Recommendations for Readiness to Handle Computer Security Incidents" (CIRCL)
- Guide: "Guide to Integrating Forensic Techniques into Incident Response" (NIST)
- RFC: "Guidelines for Evidence Collection and Archiving" (IETF)
- Guide: "Electronic evidence - a basic guide for First Responders" (European Union Agency for Network and Information Security)
- Procedures: "The ThreatHunting Project" (ThreatHunting.net)
- Resource Collection: "Annotated Reading List" (ThreatHunting.net)
- Guide: Recovering from an intrusion (UCL Security Baselines)
- Educational Resources Memory Samples (Volatility)
- Educational Resources Awesome Malware Analysis
- Presentation: Practical Malware Analysis (Mandiant / Black Hat)
- Guide Guide to Quick Forensics Security Without Borders
- Guide Investigating Infrastructure Links with Passive DNS and Whois Data Citizen Evidence Lab by Amnesty International
- Guide ENISA Electronic evidence - a basic guide for First Responders
- Guide Mahesh Kolhe et al., Live Vs Dead Computer Forensic Image Acquisition
- Tool DEFT 7 Manual - Digital Evidence and Forensics Toolkit
- Guide Justin C. Klein Keane, Capturing a Forensic Image
- Blog SANS Digital Forensics and Incident Response Blog: Forensics 101: Acquiring an Image with FTK Imager
- Samples Test Images and Forensic Challenges Forensic Focus
- Samples Evidence Files and Scenarios Digital Forensics Association
Suspicious Activity Analysis_Malware is a common tactic to target organizations. Malware like a Remote Access Trojan (or RAT) can provide an attacker with backdoor…
Digital Forensics and Evidence Capture_This component briefs the tools and procedures required to acquire the image (live or dead, depending on the situation) and securely handle…
Forensic Analysis_This component describes how to perform an analysis on captured evidence (e.g. hard drive image or memory dump) without altering the…
Incident Response and Emergency Contact_Incident Response within the context of an audit refers to setting up a procedure for handling incidents during an audit in the event the…
Technical Context Research_This exercise focuses on research into the technical capacity of potential threat actors, including both historical attack data and any…
Network Scanning_Network scanning is a technique used to gather information about devices connected on a certain network. It involves enumerating open ports…