By Tom Chmielarski, Practice Lead – RSA Advanced Cyber Defense Practice (Americas)
The RSA Advanced Cyber Defense team is focused on helping organizations improve their proactive and reactive capabilities. There are many different analysis techniques, or tricks, to finding various types of bad things in IT data and today I’m going to address an antivirus analysis technique that is both simple and effective.
To set the context a bit for anyone not aware, email is a very common vector for Advanced Threats. Email is a popular delivery method for the exploits because people are so willing to open documents and links in email, especially when they think they know who sent the email. Document formats that are commonly used to deliver exploits are PDFs, Word DOC/DOCX, Excel, and RTF-formatted text. Wide-spread crimeware campaigns, often associated with ZeuS, will also use this technique but the “flavor” of the malicious files will be different than with Advanced Threat attacks.
Antivirus will not stop most targeted attacks, and it may never detect some malware, but given enough time it will often detect the email-delivered, exploit-laden (or “weaponized”) documents that are used to gain access by Advanced Threat entities. For these reasons and more, antivirus, despite its faults, should not be overlooked as a layer for Advanced Threat defense!
As you can probably now guess, a simple, even obvious, but often overlooked analysis technique is to monitor antivirus log detections of exploits, droppers, or backdoors in files that are in the common document-type list. File names that seem company- or project-specific are a good indicator of a targeted attack. Not every malicious document will indicate a targeted attempt but a little hands-on time with your log data will help you identify which alerts and antivirus signatures should get a closer look. For improved accuracy, if you have email infrastructure log data, you can correlate all document-associated antivirus detections with email attachment names.
The usefulness of antivirus as a detection source depends on scheduled scans detecting malware and exploits latent on the file system, so you may want to account for the timing of those in your analysis. Antivirus data often has a multi-hour time lag, particularly if clients have been off-network, so you need to ensure your search methods are not just looking at “current events”. How specifically you profile your antivirus data is dependent upon what you use for searching your security logs, but that is a log management question for another day.
Tom Chmielarski is Practice Lead within the RSA Advanced Cyber Defense Practice serving the Americas. Tom has over 15 years of IT experience, primarily in security, spanning operations, incident response, malware, forensics, data analysis, and strategy. He has experience in the Defense, Industrial Controls, Electronics manufacturing sectors. He is a subject matter expert in incident response, security monitoring, forensics, malware, and data analysis.