Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

The Day After: Necessary Steps after a Virus Outbreak

Created: 06 Jan 2014 • Updated: 14 Aug 2014 | 8 comments
Language Translations
Mick2009's picture
+11 11 Votes
Login to vote

Introduction

This is the fourth of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions).

This fourth article is for use after the attacks have ended.  It intends to help admins prevent further attacks and make recovery from any future infection as painless as possible.

 

BOOM!

the_day_after.jpg

 

Malware infections can be devastating.  Crucial files corrupted, data lost, intellectual property stolen, reputation tarnished, endless man-hours of labor wasted. Every company has their horror stories.

Once the key malicious files are found and submitted to Symantec Security Response, definitions against that threat can be created and distributed.  Though it requires a lot of inconvenience, the virus outbreak is over…. Now what?  Back to business as usual?

 

How To Not Get Flattened Again

Hopefully not!  Though the steps necessary for recovery will differ from network to network and threat to threat, once an outbreak is over, there is always one best course of action: Learn the lesson- prepare better defenses.
 

How Did the Bad Guys Get In?

If possible, determine how and where this infection began.  See if the entry route can be determined- and that door firmly shut!

This will be difficult, as SEP is not a forensic application. It may be possible to see which computers have had active Downloader threats on them: identify all the computers that were affected by a particular threat, and then examine those systems in more depth.

As an example: an exported Risk Report from the SEPM will contain the unique hash of the threat sample.  With some filtering (and hiding columns for clarity), it's clear that all of the following computers detected the same Downloader.Trojan on the same day.  Chances are this malicious .exe had been present there, and then new definitions were downloaded and applied which added detection against it.  The next time the application ran (or a scheduled scan ran) it was picked up.

same_hash_patient_zero.png

My advice would be to examine those five computers to see if they have weak passwords, or are missing patches and hotfixes, or if they have peer to peer clients installed, or if their internet browser download history shows unusual activity.  See what clues might be there!

 

Change the Secret Plans- Quick!

Many threats have the ability to ability to upload files from a compromised computer. If the outbreak that has just ended was one with Infostealer capabilities, ask "what information did the intruders have access to?" If sensitive data was on the laptop, workstation or server that was even temporarily pwned, assume that it is now in the hands of an unknown remote party. Take measures, if possible, to ensure that what they got away with is outdated and useless. For instance:

  • There have been cases where databases full of customer usernames and passwords have been stolen. Inform whoever needs informing and then ensure that all of those user passwords are reset.
  • In other cases, attackers have left behind evidence that the details of every account in Active Directory were harvested. In such cases, hackers can RDP right into the company at will using valid admin credentials (without needing a single piece of malware) unless strong new passwords are made mandatory for every account.

The chances of sensitive data being successfully stolen are reduced if Data Loss Prevention (DLP) is used.  If such a security tool is not already in use, it might be a good idea to implement one before there is another breach.  The 2013 Cost of Data Breach Study may help determine if DLP is a good investment.

 

 

Do Not Fight with One Arm Behind Your Back and Shoelaces Tied Together 

Too many companies are still relying on old releases of SEP that have only the bare-minimum AV component installed.  Symantec Endpoint Protection is not Symantec AntiVirus, our long-retired product which only offered traditional signature-based scanning.  SEP a powerful suite of security tools. 

SEP 11 (which is now past its End Of Limited Support) came with AntiVirus, plus optional Proactive Threat Protection (PTP), firewall, IPS, and Application and Device Control (ADC) components.  SEP 12.1 enhanced the performance and effectiveness of all of those tools and added the powerful Insight reputation-based protection.

To dramatically improve the defense of your network and everything on it, use a modern product with adequate components.  AV, IPS and Insight should be seen as an absolute minimum.  ADC, PTP and Network Threat Protection (NTP, the firewall) supplement their power at blocking malicious activity before it can get in place, and make removal much easier.  Definitely upgrade and use these features!  

How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations
http://www.symantec.com/docs/TECH90936

 

See for yourself how the SEP's PTP, Firewall, and IPS components can effectively block an attacker who was able to compromise a computer defended by SEP's AV alone.  Adding these extra components is essential to your security!

Blocked by Symantec Endpoint Protection

 

 

Stronger Passwords.... DLP... Add IPS.... What Else?

The battle plan in Symantec's "Five Steps" article has been effective for many years.

Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/docs/TECH122466 
 

 

It's appropriate to quote at length from Step 5. Post-op: Prevent Recurrence here:

 

Patching vulnerabilities

Vulnerabilities are computer software flaws that can be exploited by malicious code. These vulnerabilities can be repaired by applying patches provided by the software vendor. In today's network environment, regular patching is a requirement. Every network should have a Patch and Configuration Management Policy for testing new patches and rolling them out to client computers. Patching plans should focus not just on operating systems and browser add-ons, but all deployed software. Any software installed on a computer should be regularly checked for updates—from office utilities to databases to web server applications. All software should be cataloged and regularly checked for updates. Internally developed code should be regularly audited for security holes and fixed as soon as possible. Appliances such as routers and printers should also be checked for software updates and patched quickly. This can be a lot to manage, but it is vitally important in preventing security incidents.

 

AutoPlay (AutoRun)

Autoplay is a functionality in Windows that allows files to automatically be opened or "played". This feature is useful to launch installation files and other applications from CDs and USB flash drives, but over the last few years has become one of the largest attack vectors in the enterprise environment. While USBs may provide an initial source of infection through the use of AutoPlay, most network drives are designed to use this functionality too. This allows threats to attack from a network drive as soon as the drive is mapped. Since antivirus software is designed to scan the local hard drive, the threat will be able to attack the client computer without detection or prevention, unless additional measures like Network Auto-Protect are employed.

In order to protect your network, disabling AutoPlay is the recommended course of action. This can be done on individual computers, pushed out to client computers using the Group Policy editor, configured by a policy in Symantec Endpoint Protection, or accomplished by disabling the external media ports on the computer entirely from within the BIOS. There is also a known Windows vulnerability within the autoplay feature that may re-enable it unless Windows patches are applied.

 

Network shares

First and foremost, access to all network shares should require a strong password not easily guessed. "Open Shares" are network shares that allow the inherited permissions from the user to validate access. These do not require an additional authentication and therefore allow threats to spread very fast. Open shares should be minimized as much as possible, and when they are absolutely essential to business continuity, write and execute privileges should be restricted.

If a user only needs to obtain files from a source, they should only be granted read access. For added security, write access for users needing file-transfer capabilities can be limited to a "temporary" storage folder on a file server, which is cleared semi-regularly. In terms of execution permissions, limit this access to administrators or power users who have such need. Disabling or limiting access to two other share-types is also recommended: Admin$ shares allow complete root access on a computer to any user that can authenticate as a member of the administrator group; Inter-Process Communication (IPC) shares, or IPC$, are intended to help communication between network-available processes and other computers on the network.

The problem with the aforementioned shares is that, regardless of whether strong passwords are in place, once a user is logged on to a system with elevated rights, any threat present can use the credentials to access Admin$ or IPC$ shares available on the network. Once the user is logged in, the rights and permissions are implicit -- the door has been unlocked. Anything that user account has access to will be accessible to anything that impersonates the account.

The best practices in this regard are:

  • Do not auto-map network shares, instead supply a desktop icon to allow users access to the drive as needed.
  • Do not log on using an account with elevated privileges (such as the domain or local Admin) unless absolutely necessary to perform a certain task.
  • Be sure to log off once the task is completed.
  • For most day to day duties, use a more restrictive account.

 

Email

Email attachments, while perhaps not as prevalent as in years past, are still used to spread malicious code today. Most email servers currently on the market provide the ability to strip certain attachment types from emails. Limiting the types of files that are valid as attachments handicaps many threats' ability to spread.

Investing in AntiSpam software is another way of reducing exposure to threats. Doing so reduces the number of phishing scams and spam that reach end users, and thus the network as a whole.

 

Education

An educated end user is a safer end user. Ensure that your users understand the basics of safe computing, such as the following:

  • Do not give passwords to anyone or store them in an easily accessible location, either physical or electronic.
  • Do not open unexpected email attachments from known or unknown sources.
  • Do not click on unknown URLs.
  • Scan software downloaded from the Internet before installing it.
  • Having documentation, internal training, or periodic seminars on computer security available gives your users options for learning more about the topic.

 

Firewalls and other tools

Perimeter firewalls are critical to protect the network as a whole, but cannot cover all points of entry. Client firewalls add an extra layer of security by protecting individual computers from malicious behavior, such as Denial of Service attacks, and are critical to manage today's threat landscape.

Beyond basic firewalls, network and host-based Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) can help monitor unwanted activity on the network, and in many cases stops or alerts on the offending traffic in real time. Many client-side firewalls today provide these features.

 

Emergency Response Team and Plans

Even after all these tasks are complete, it is still a good idea to be prepared in case of the worst. Draft a plan how to respond to a potential outbreak and assign tasks and responsibilities to members of an Emergency response team. How quickly will an alert be generated if there's something on the network? Will there be administrators available to deal with it? How easy is it to reroute traffic and services on the network? Can compromised computers be isolated quickly before they affect other computers? Having plans in place for these things makes dealing with unpleasant situations much easier and saves both time and money.

 

 

Great Stuff! What Other Steps Should Also Be Done?

Final Recommendation

Your Symantec Endpoint Protection Manager contains in-depth records of threat-related activity, and the SEPM can alert you when there is a potential security incident for which manual action should be taken.  For example, some threats have ways of "tricking Windows" into protecting their processes from certain AntiVirus technologies.  It is possible to create a notification for incidents where SEP detects a threat but ultimately leaves it alone.

risk_left_alone.JPG

 

In the above example, the administrator will receive a mail whenever and of these Left Alone events occur.  The admin can then take a closer look at that computer and stop an infection before it can secure its foothold. So: definitely use SEPM notifications and scheduled reports.  These empower admins to know what is happening in their network- much better than finding out a breach from the news media or from law enforcement!
 

Conclusion

Increase the Peace!  With a bit of best practice and careful attention, disasters can be avoided. Yes, some effort will be involved- effective preventative measures can either be taken now, or there can be a lot of panicked screaming and running around in a mad rush during the next inevitable breach or destructive outbreak.  Symantec provides the tools, but what happens to your business tomorrow is up to you.

 

Many thanks for reading!  Please do leave comments and feedback below. 

 

Comments 8 CommentsJump to latest comment

.Brian's picture

great stuff, thanks!

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

+1
Login to vote
Mithun Sanghavi's picture

Great steps. Excellent as always.!!!

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+1
Login to vote
Tariq Naik's picture

good pointers

+1
Login to vote
riva11's picture

Great artcle, thanks for sharing.

+1
Login to vote
Chetan Savade's picture

Great article!

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+1
Login to vote
Mick2009's picture

The fifth article in this series is now available.  An illustrated guide to the tools and techniques necessary to defeat W32.Downadup can be found in the new Connect article:

Killing Conficker: How to Eradicate W32.Downadup for Good
https://www-secure.symantec.com/connect/articles/killing-conficker-how-eradicate-w32downadup-good

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

Here's the sixth in the series:

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

A related document that may be of interest:

 

Containing An Outbreak: How to clean your network after an incident
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/containing_an_outbreak.pdf

With thanks and best regards,

Mick

0
Login to vote