I don’t actually run this SOC (or any other) 🙂 But…but, as a certified “blue team” member, I’m pretty excited with the crop of new companies and ideas that are springing up in the area of SOC analysis, Deception technology, Lateral/external movement, etc. Some of the cool new(ish) vendors that I am falling deeply in love with will be briefly enumerated below…If I was running a SOC, here are some vendors (or technologies) that I would have to add on top of the existing players (centralized logging, scan vuln data, IDS/IPS data, firewall/proxy data, etc.)
85.4% of statistic can be interpreted in the opposite way, and AV has been declared dead regularly since 1987.
Symantec “invented commercial antivirus software in the 1980s”? That must come as news to the many companies, like Sophos, that I was reviewing long before Symantec bought out their first AV company.
“Dye told the Wall Street Journal that hackers increasingly use novel methods and bugs in the software of computers to perform attacks.”
There were “novel attacks” in 1986, and they got caught. There have been novel attacks every year or so since, and they’ve been caught. At the same time, lots of people get attacked and fail to detect it. There’s never a horse that couldn’t be rode, and there’s never a rider that couldn’t be throwed.
“Malware has become increasingly complex in a post-Stuxnet world.”
So have computers. Even before Stuxnet. I think it was Grace Hopper who said that the reason it is difficult to secure complex systems is because they are complex systems. (And she died a while back.)
This is possibly a little out of line with what I’m trying to do with the series. This advice is aimed a little higher than the home user, or small business operator with little computer experience. Today I got these questions from someone with an advanced computer background, and solid security background, but no malware or antivirus experience. I figured that this might apply to a number of people out there, so here was my advice:
> Question 1: What is the best way to obtain some good virus samples to
> experiment with in a clean-room environment?
Just look for anything large in your spam filters 🙂
> What I see doing is setting up a VM that is connected to an isolated
> network (with no connection to any other computer or the internet except
> for a computer running wireshark to monitor any traffic generated by the
VMs are handy when you are running a wholesale sample gathering and analysis operation, but for a small operation I tend not to trust them. You might try running Windows under a Mac or Linux box, etc. Even then, some of the stuff is getting pretty sneaky, and some specifically target VMs. (I wonder how hard it would be to run Windows in a VM under iOS on ARM?)
> Also, any other particular recommendations as to how to set up the
> clean-room environment?
I’m particularly paranoid, especially if you haven’t had a lot of background in malware, so I’d tend to recommend a complete airgap, with floppies. (You can still get USB 3 1/2″ floppy drives.) CDs might be OK, but USB drives are just getting too complex to be sure.
> Question 2: What products are recommended for removing viruses and malware
> (i.e. is there a generic disinfector program that you recommend)?
I wouldn’t recommend a generic for disinfection. For Windows, after the disaster of MSAV, MSE is surprisingly good, and careful–unlikely to create more problems than it solves. I like Avast these days: even the free version gives you a lot of control, although it seems to be drifting into the “we know what’s best for you” camp. And Sophos, of course, is solid stuff, and has been close to the top of the AV heap for over two decades. F-Secure is good, although they may be distracted by the expansion they are doing of late. Kaspersky is fine, though opinionated. Eset has long had an advantage in scanning speed, but it does chew up machine cycles when operating.
Symantec/Norton, McAfee, and Trend have always had a far larger share of the market than was justified by their actual products.
As always, I recommend using multiple products for detection.
> I assume the preferred approach is to boot the suspect computer from USB
> and to run the analysis/disinfection software from the USB key (i.e. not to boot
> the infected computer until it has been disinfected).
A good plan. Again, I might recommend CD/DVD over USB keys, but, as long as you are careful that the USB drive is clean …
> Question 3: How/when does one make the decision to wipe the hard drive and
> restore from backup rather than attempt to remove the malware?
If you have an up-to-date backup, that is always preferred when absolute security is the issue. However, the most common malware is going to be cleanable fairly easily. (Unless you run into some of the more nasty ransomware.)
Pushing backup, and multiple forms of backup, on all users and systems, is a great idea for all kinds of problems. I’ve got a “set and forget” backup running to a USB drive that automatically updates any changes about every fifteen minutes. And every couple of days I make a separate backup (and I have different USB drives I do it to) of all data files–which I then copy on to one of the laptops. I just use an old batch file I created, which replaces any files with newer versions. (Since it doesn’t delete anything I don’t change, it also means I have recovery possibilities if I make a mistake with deleting anything, and, by using multiple drives, I can rotate them for offsite storage, and even have possibilities of recovering old versions.)
> Question 4: Any recommended books or other guides to this subject matter?
Haven’t seen anything terrifically useful recently, unfortunately. David Harley and I released “Viruses Revealed” as public domain a few years back, but it’s over ten years old. (We released it about the time a vxer decided to upload it to http://vxheavens.com/lib/ars08.html He probably thought he was hurting our sales, but we figured he was doing us a favour 🙂
Spam filters are getting pretty good these days. If they weren’t, we’d be inundated.
But they aren’t perfect.
It’s a good idea to check what is being filtered out, every once in a while, to make sure that you are not missing messages you should be getting. Lots of things can falsely trigger spam filters these days.
Where and how you check will depend on what you use to read your email. And how you report that something is or isn’t spam will depend on that, too.
If you use the Web based email systems, like Gmail, Yahoo, Outlook/Hotmail, or others, and you use their Web interface, the spam folder usually is listed with other folders, generally to the left side of the browser window. And, when you are looking at that list, when you select one of the messages, somewhere on the screen, probably near the top, is a button to report that it isn’t spam.
It’s been a couple of weeks since I did this myself, so I checked two of my Webmail accounts this morning. Both of them had at least one message caught in the spam trap that should have been sent through. Spam filtering is good, but it isn’t perfect. You have to take responsibility for your own safety. And that means checking the things you use to keep you safe.