Saturday, July 11, 2015

Just thinking out loud…

Over at the dude ranch there have been a growing string of ransomware infections. (Hence the ongoing GSD posting of ransomware/crypto-whatever threat analysis posts.)

Good news is that (in most cases) our end-user data backup routines are pretty good so we can usually restore their data; give or take a few days back in time.

Bad news is that the current organizational IR plan seems to be detect (post infection or customer help desk call), grab canned report, wipe/reimage the system, then restore the user’s files after additional off-line scan checks.

I keep slapping my face with a prickly pear pad as (granted, based on my limited view from horseback afield and not being in the ranch-house proper) there doesn’t seem to be a clear effort to do real, structured, system/user level based incident response to determine the actual vector of infection(s); was it a Flash Player exploit? Malvertising? Email attachment? Breach in the fence?  What is it about our application levels or security posture that keeps letting these things through and execute?

If such data is being collected and analyzed the information isn’t leaking down to us working the herd.

Anyway…moving on…

What spurred this post is this SANS ISC Diary post from Didier Stevens.

So I dug up these KB’s from Symantec that provide additional info on their Symhelp tool, the Threat Analysis scan, sending a suspicious file, and reading Symhelp’s SDBZ file content on a different system than the infected one.

Ok. Back into the cacti.

--Claus Valca

No comments: