Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Day 16 - Containing a Malware Outbreak

Published: 2008-10-16
Last Updated: 2008-10-16 12:24:11 UTC
by Mark Hofman (Version: 1)
0 comment(s)

Containing a malware outbreak is topic 16 in Cyber awareness month.  This is one topic that is dear to all our hearts, how do you contain a malware outbreak?  What steps should you take to contain and prevent re-infestation?  and what measures do you have in place to detect malware on the network in the first place?

Sadly as we all know AV products on the market are not always effective.  Almost everyday we receive malware samples that are not detected by most of the AV products we have access to.  So you need some alternate methods of detecting that there is a piece of malware running around your network.   Some of the mechanisms I've used are fairly simple ones.   Monitor traffic to networks that do not exist inside the environment.  Any traffic to this subnet can't be good.  An internal IDS/IPS can flag anomalous traffic.  Some solutions can take action when they detect malware on the wire.  Monitor firewall logs for traffic to seemingly random locations on ports you are not familiar with is also a good idea.  Other sites keep lists of top internal talkers,  when they change they look for anomalous behaviour and take the appropriate action.   

To contain an outbreak people take different approaches.  Most people are pretty keen to get the device disconnected from the main network as fast as possible.  Easily achieved by pulling the network cable and sending junior over to deal with the issue.  However that may not always be an option.  I've seen other sites where the offending host is shunted onto a different VLAN (at some sites automatically when detected), where they can be inspected and "cleaned" using the various tools deployed.  Once deemed clean, they are placed back onto the internal network by reconfiguring the switch port.

Other organisations vary the theme and nuke the device from orbit.  One of the nicer sites I've visited recently shunt the machine onto a cleanup network and it is then re-imaged from a clean copy before being passed back to the user.  The whole process takes them about 30 minutes depending on the location.

Prevention is the best cure, but some infections can't be helped.  Make sure that your organisation has the processes in place to deal with them as it makes life much easier.   If you are infected spend some time identifying the vectors used and also consider other vectors.  There is nothing more frustrating than cleaning up an environment and have it reinfected in a few minutes because you forgot your VPN users.

These are a few of the things I have seen that people use to contain an outbreak. What do you do?  let us know and we'll add the info to the list.

Mark - Shearwater

 

Keywords: Awareness2008
0 comment(s)
Diary Archives