Looking for Infected Systems as Part of a Security Assessment
Security assessments often produce predictable results—missing patches—so consider adding malware detection tasks. Techniques include identifying unmanaged systems, analyzing autorun entries for anomalies, examining outbound traffic to known-bad addresses, and scanning filesystems for suspicious files like obfuscated JavaScript.
There are many types of information security assessments. These projects typically look for security weaknesses, so that the organization can address the issues in a prioritized manner. The results of the assessments, especially those focused on identifying internal IT infrastructure vulnerabilities are often the same: the organization lacks critical security patches, which puts its data at risk.
Considering that the results of many traditional security assessments can be predetermined without actually conducting the assessment, how should the scope or approach to such projects change to provide more value? One option is to include tasks that examine the environment for the presence of malware or other signs of a compromise. Assessing the infrastructure for the presence of malware could also be a standalone project. Techniques for identifying the signs of malware or compromise in an enterprise setting include the following:
- Identify at-risk systems, such as those not being centrally managed by the IT group or those without the properly-configured antivirus/endpoint security tools.
- Analyze autorun entries (registry keys, services, browser add-ons, etc.) to identify anomalies, such as references to programs that are present on only some systems in the enterprise.
- Examine outbound network traffic to identify systems that attempt to communicate with known bad IP addresses, domain names or network blocks. Using a DNS sinkhole may assist with this task.
- Scan file system contents for suspicious files, such as those that include obfuscated JavaScript or those that appear to be packed.
The data for some of the tasks above can be collected using authenticated vulnerability scans. Others involve placing a network sniffer in the environment or examining network, firewall and DNS logs. In some cases, the assessor may need to run tools on the assessed systems to capture additional data. There is also an opportunity for security vendors to license their tools in a per-project basis to make them useful for such malware assessments. One example of this is the consultant-friendly licensing option of Damballa Failsafe; I expect more vendors to position their tools in a similar manner, if they aren’t doing this already.
More articles related to delivering better security assessments: