One of the questions clients ask most frequently is, “Can you tell me how this piece
of malware got onto my system?” If you administer or manage endpoints, you probably have discovered an infected or compromised system. Your first reaction is to find the system and clean it, so that it does not affect your other systems, and the user can get back to work. Your second reaction is probably “how did this system get infected or compromised?”
Unfortunately, most organizations do not have the ability to easily piece together
all the information needed to understand an infection incident such as this. If just
a single system is affected, it is a luxury for an administrator to track down the root
cause—a luxury few can or choose to afford.
However, an infected or compromised system can be the tip of an iceberg that your
cyber infrastructure is about to hit. If you can know more about an incident than justwhich system you fixed or quarantined, you may end up saving your organization time and money.
The data you need is often there. Most organizations discover that the web proxy
or firewall logs collected data on activity related to the infected system. Perhaps the
infected system communicated with a SharePoint system on your network, where it
(inadvertently) placed a dropper for other LAN-connected systems to be infected.
The SharePoint server that is now playing host to the malware did not detect the dropper because the directory was excluded from scanning. If this is a “zero day” or a new strain of an old variant of malware, then it could spread quickly through your infrastructure before you know the root cause is sitting in your network. Ironically, most logs—IPS, server, firewall, web proxy—will collect activity data related to this incident. However, most organizations are siloed into teams or departments such as the network team, the server team, and the systems
team, and so, too, is the pertinent data.
One of my customers told me that it took them a month to figure out that they had
a system communicating with a command and control (C&C) server on the Internet. Once they knew what to look for, they found evidence of this activity in the web proxy logs.