An Early Malware Detection, Correlation, and Incident Response System with Case Studies

Software and systems complexity can have a profound impact on information security. Such complexity is not only imposed by the imperative technical challenges of monitored heterogeneous and dynamic (IP and VLAN assignments) network infrastructures, but also through the advances in exploits and malware distribution mechanisms driven by the underground economics. In addition, operational business constraints (disruptions and consequences, manpower, and end-user satisfaction), increase the complexity of the problem domain that security analysts must adequately operate within. This is particularly evident when implementing effective response measures to malware infections in a timely manner, minimizing the risk to business. A simple question becomes particularly valid under such complex environments; what appropriate response actions must be met to appropriately eradicate malware infections while maintaining high operational and low risk profile? This need stems from the absence of predefined and pre-correlated knowledge of the environment and malware behaviors. Without such knowledge, isolating, analyzing, and responding to incidents at the very same time of the infection become increasingly difficult. Specially, when the incident involves aggressive malware specimens exhibiting behaviors such as network propagation, acting as a spambot, or seeking data exfiltration. In this case, it is critical to respond to the incident before serious consequences to the business occur.The faster the compromise is detected and responded to, the more it will be controlled and the less impact it will have. For this purpose, a methodological framework to respond to malware incidents is proposed. At its core, the framework focuses on minimizing the Detection-To-Response (DTR) process and time frames. The foundations upon which the framework is built consist of pre-correlated contextual knowledge about the monitored network, and a pre-built malware analysis knowledgebase. This allows the framework to systematically and dynamically automate network actions to isolate infected hosts as early as detection. At the same time, the collected multidimensional knowledge is presented to the analyst to aid during the investigation and response phases. Ultimately, the early automation of response actions, and reduced response time frames preserve the continuity of operations, as well as end-users relationship fidelity. To demonstrate the efficacy of such framework, two case studies are presented to help evaluate the proposed framework in responding to malware incidents.