Malware incident response can be a time-consuming and frustrating process. A seasoned investigator, however, has documented steps to help you investigate malware in 30 minutes or less.
Joseph Salazar, an information security practitioner, presented his methodology in a lecture called “Streamlined Malware Incident Response with EnCase®,” at the Enfuse™ conference (formerly known as CEIC®) held earlier this year. This highly rated session outlined a framework to minimize user and system exposure to malware; utilize supporting infrastructures and processes; and leverage the flexibility of not only EnCase Endpoint Security, but even more so, EnCase Enterprise.
CEIC 2015 Highlights: Thwarting Malware, FRCP Rules Changes, Corporate Cyberbullying, Collaborating for the Win
CEIC® 2015 began with a one-day CISO/CLO Summit that gathered security and legal chiefs to collaborate on emerging best practices in defending the enterprise, as well as an energetic CEIC welcome keynote from our president and CEO Patrick Dennis and Roger Angarita, our head of product development. Patrick talked about how the legal, security, and forensic investigation communities are blending together, both to collaborate and even to expand their own professional areas of responsibility. Our data is converging—and so are our professions—which is good news, since as we collaborate, we are turning the tide in the defense of our organizations, our citizens, and our economies.
The ultimate desire for malware authors is to be able to have their code run every time a computer starts, and leave no trace on the disk for us to find. Let me reassure you that it hasn’t happened just yet, at least not that I have seen. There have been plenty of examples over the years that have taken advantage of some clever techniques that disguise their disk-based homes, but that’s just it–disguise!
A couple of recent posts on “Poweliks” here and here shed light on creative measures attackers use to store malware in the Windows Registry. In short, there is a registry value that executes an encoded script stored in another registry value, which then drops a file on disk for execution.