Help! I Think I’ve Been Hit with Malware · 2016-07-04 · SYMANTEC VISION 2013 Preparing for the...
Transcript of Help! I Think I’ve Been Hit with Malware · 2016-07-04 · SYMANTEC VISION 2013 Preparing for the...
Help! I Think I’ve Been Hit with Malware 1
Help! I Think I’ve Been Hit with Malware
Todd Fitkin Leader, America’s Security Response Liaisons
Kari Ann Christensen
Product Marketing Manager Endpoint Protection
SYMANTEC VISION 2013
Why do we need this discussion?
Help! I Think I’ve Been Hit with Malware 2
SYMANTEC VISION 2013
If 2007 Threats = 1 Pint of Beer
Help! I Think I’ve Been Hit with Malware 3
2007 SEP 11 Released
Yearly: < 500,000 worldwide threats
SYMANTEC VISION 2013
2011 Threats = 8 Kegs
Help! I Think I’ve Been Hit with Malware 4
2011 SEP 12 Released
Daily: 500,000 threats by lunch
2007 SEP 11 Released
Yearly: < 500,000 worldwide threats
SYMANTEC VISION 2013
Best Practices
5 Help! I Think I’ve Been Hit with Malware
Prepare
1
Planned Response
2
Defined Process
3
Manage Expectations
4
Prioritize
5
SYMANTEC VISION 2013
Preparing for the Inevitable
Help! I Think I’ve Been Hit with Malware 6
Review or prepare a plan for each team and ORG Incident
Response
Review your list of teams to involve and their contact information (update DLs, emergency phone numbers)
Inside Teams
Be prepared to take actions that may involve teams outside the AV group in your company
Outside Teams
Review installed/available protection technologies Protection
Technologies
SYMANTEC VISION 2013
Layered Protection
Symantec Endpoint Protection 12
• Network IDS
• Boundary Firewall
• Verify All Machines Are Protected
Defends against known and unknown threats
Beyond Antivirus 7
SYMANTEC VISION 2013
Preparing for the Inevitable
Help! I Think I’ve Been Hit with Malware 8
Review or prepare a plan for each team and ORG Incident
Response
Review your list of teams to involve and their contact information (update DLs, emergency phone numbers)
Inside Teams
Be prepared to take actions that may involve teams outside the AV group in your company
Outside Teams
Review installed/available protection technologies Protection
Technologies
Know what data you need when contacting your security partners
Relevant
SYMANTEC VISION 2013
Three Main Inquiries
Help! I Think I’ve Been Hit with Malware 9
Am I protected from X?
Infected? Can’t find it.
Outbreak. What do I do?
SYMANTEC VISION 2013
Three Main Inquiries
Help! I Think I’ve Been Hit with Malware 10
Am I protected from X?
Infected? Can’t find it.
Outbreak. What do I do?
SYMANTEC VISION 2013
Does Symantec know about X threat and am I protected?
Help! I Think I’ve Been Hit with Malware 11
Worm.Win32.VBNA.b
Trj/CI.A W32.Changeup W32/Autorun.worm.aaeh
W32/VBNA-X Win32/Vobfus.MD
SYMANTEC VISION 2013
Do you know about X Threat, and am I
protected?
I think I have a Threat but I can’t detect or find it
Three Main Inquiries
Help! I Think I’ve Been Hit with Malware 12
I think I have a Threat but I can’t detect or find it
I’m in an Outbreak, what do I do?
SYMANTEC VISION 2013
Post Op
Steps for Troubleshooting a Suspected Threat
Help! I Think I’ve Been Hit with Malware 13
Clean Infection
Quarantine Network
ID Infected Computers
ID Threat
ID Threat
SYMANTEC VISION 2013
SymHelp – Load Point Tool
Help! I Think I’ve Been Hit with Malware 14
SYMANTEC VISION 2013
SymHelp – Load Point Tool
Help! I Think I’ve Been Hit with Malware 15
SYMANTEC VISION 2013
Post Op
Steps for Troubleshooting a Known Threat
Help! I Think I’ve Been Hit with Malware 16
Clean Infection
Quarantine Network
ID Infected Computers
ID Threat
ID Infected Computers
ID Threat
SYMANTEC VISION 2013
Post Op
Steps for Troubleshooting a Known Threat
Help! I Think I’ve Been Hit with Malware 17
Clean Infection
Quarantine Network
ID Infected Computers
ID Threat
Quarantine Network
ID Infected Computers
ID Threat
SYMANTEC VISION 2013
Post Op
Steps for Troubleshooting a Known Threat
Help! I Think I’ve Been Hit with Malware 18
Clean Infection
Quarantine Network
ID Infected Computers
ID Threat
Clean Infection
Quarantine Network
ID Infected Computers
ID Threat
SYMANTEC VISION 2013
Post Op
Steps for Troubleshooting a Known Threat
Help! I Think I’ve Been Hit with Malware 19
Clean Infection
Quarantine Network
ID Infected Computers
ID Threat
Post Op Clean
Infection Quarantine
Network ID Infected Computers
ID Threat
SYMANTEC VISION 2013
Do you know about X Threat, and am I
protected?
Three Main Inquiries
Help! I Think I’ve Been Hit with Malware 20
I’m in an Outbreak, what do I do?
I think I have a Threat but I can’t detect or find it
I’m in an Outbreak, what
do I do?
SYMANTEC VISION 2013
W32.Changeup
– Very Successful threat due to open shares, mixed AV versions, no AV and AutoPlay
– Does not rely on vulnerabilities to propagate
– Downloads repacked variants once a day
– One of three pieces of this attack. Each piece can download others
Help! I Think I’ve Been Hit with Malware 21
W32.Changeup: New Cases per Day
SYMANTEC VISION 2013
Expedite the Support Process
Call Support
– Severity 1 case for outbreaks
Submit a sample
Duty Manager
– If the issue appears stalled, call and ask for a Duty Manager!
– For both internal and external callers
Key words
– Outbreak
– Breach
– Escalate
Help! I Think I’ve Been Hit with Malware 22
SYMANTEC VISION 2013
In Case of a Breach…
23 Help! I Think I’ve Been Hit with Malware
SYMANTEC VISION 2013 24
• Security Intelligence • Technical Assessments • GIN - Custom Security Report • Quick Look, Fintel
• Symantec Security Portfolio • Products and solutions • DeepSight and MSS
• Cyber Incident Response • Forensics • Crisis Management • Public Relations • Security Consulting
Help! I Think I’ve Been Hit with Malware
Strategic Partners
SYMANTEC VISION 2013
Best Practices
25 Help! I Think I’ve Been Hit with Malware
Prepare Planned
Response Defined Process
Prioritize Manage
Expectations
1 2 3 4 5
Preparation = quicker
resolution
Prior to an emergency,
plan how you will respond
Follow a process from
identify to remediation
It may affect users and be
time consuming
Clarify the impact and the urgency
SYMANTEC VISION 2013
Prepare Planned
Response Defined Process
Prioritize Manage
Expectations
1 2 3 4 5
Preparation = quicker
resolution
Prior to an emergency,
plan how you will respond
Follow a process from
identify to remediation
It may affect users and be
time consuming
Clarify the impact and the urgency
Best Practices
26 Help! I Think I’ve Been Hit with Malware
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Help! I Think I’ve Been Hit with Malware 27
Todd Fitkin
Kari Ann Christensen
SYMANTEC VISION 2013
Appendix
• Best Practices for Troubleshooting Viruses on a Network
• Using Application and Device Control in Symantec Endpoint Protection (SEP) to block activity in common loading points for threats
• How to create custom policies in SEPM to prevent a threat from spreading.
• SymHelp Tool
• Norton Power Eraser
Help! I Think I’ve Been Hit with Malware 28
SYMANTEC VISION 2013
Symantec Endpoint Protection Training Offerings To make sure that your team can get the most from your purchase of Endpoint
Protection, Symantec Education provides training on
• Installing, Configuring, Monitoring, and Managing Endpoint Protection
• Using SNAC and SPC
• Guarding against hackers and viruses
Symantec Education can help your team get the most from security investment and trains you on optimizing the powerful antivirus software solution for both virtual and physical environments.
• For more information on Endpoint Protection training offerings, Visit: http://go.symantec.com/education_sep
Endpoint Protection education is available as a prepackaged training bundle that maximizes proficiency and you can gain industry recognized expertise through the Symantec Certification Program. The bundle includes: • Instructor-led training • On-demand instructor-led training (via video) • Symantec eLibrary subscription ( includes extensive training on SNAC and SPC). • Certification voucher
For more information: please contact your local Symantec Education office.
29
SYMANTEC VISION 2013
Symantec Education for Symantec Endpoint Protection
• Credits can be used on most training offerings.
• Volume Discount
• Allows access to training across Symantec products.
• On-demand format allows for anytime, anywhere training.
• Annual subscription offering for SMB customers. This extensive collection of short, on-demand modules describes how it improves your productivity, saves you time, saves your business money.
Training Credits eLibrary Endpoint Protection
Tech Center
Symantec Education Services offering a full portfolio of training offerings in support of the Symantec Endpoint Protection.
Learn more: http://go.symantec.com/education_sep.
For more information: please contact your local Symantec Education office.
Special Offer: FREE Training Modules are available via the Symantec Endpoint Protection Tech Center.
30
SYMANTEC VISION 2013
Run Load Point tool (SymHelp) Submit sample to Symantec Submit sample to Threat Expert Full system scan with Rapid Release Call Symantec Support
Why is a threat suspected? Determine priority/impact of incident Request submission if one has not been made Review Load Point Logs Create Plan of Action
Steps for Troubleshooting a Suspected Threat
31 Help! I Think I’ve Been Hit with Malware
Post Op Clean
Infection Quarantine
Network ID Infected Computers
ID Threat
ID Threat
Customer
Symantec
SYMANTEC VISION 2013
Steps for Troubleshooting a Suspected Threat
32
ID Threat ID Infected Computers
Quarantine Network
Clean Infection
Post Op
Why is a threat suspected? Determine priority/impact of incident Review Load Point Logs Prioritize submission(s) Notate threat name if possible Create Plan of Action
Locate suspect machine(s) Run Load Point tool (SymHelp) Submit sample to Symantec Submit sample to Threat Expert Full system scan with Rapid Release Call Symantec Support
Customer
Symantec
Help! I Think I’ve Been Hit with Malware
SYMANTEC VISION 2013
Steps for Troubleshooting a Known Threat
33
ID Threat ID Infected Computers
Quarantine Network
Clean Infection
Post Op
Why is a threat suspected? Determine priority/impact of incident Request submission if one has not been made Review Load Point Logs Create Plan of Action
Run Load Point tool (SymHelp) Submit sample to Symantec Submit sample to Threat Expert Full system scan with Rapid Release Call Symantec Support
Customer
Symantec
Help! I Think I’ve Been Hit with Malware
SYMANTEC VISION 2013
Steps for Troubleshooting a Threat
34
ID Threat ID Infected Computers
Quarantine Network
Clean Infection
Post Op
Review SEP configuration Review threat report/info Review threat potential Work with customer on a POA for containment
Download/install correct definitions Deploy definitions to network Run scans Review Threat Expert data Review perimeter firewall logs
Customer
Symantec
Help! I Think I’ve Been Hit with Malware
SYMANTEC VISION 2013
Steps for Troubleshooting a Threat
35
ID Threat ID Infected Computers
Quarantine Network
Clean Infection
Post Op
Determine “what’s important right now” Review threat behavior Recommendations on what activity to block Provide updates of detection/analysis info
If possible, physically remove infected systems If network aware, enable Network AP Create a VLAN/restricted network for infected systems Create SEPM client group for infected systems Locate unprotected machines and install AV
Customer
Symantec
Help! I Think I’ve Been Hit with Malware
SYMANTEC VISION 2013
Steps for Troubleshooting a Threat
Help! I Think I’ve Been Hit with Malware 36
ID Threat ID Infected Computers
Quarantine Network
Clean Infection
Post Op
Help determine best clean-up method Help assessments if possible Monitor for term “re-infected” and research claims Continue to ask questions and review logs/progress Keep focus on the threat(s) and remediation
Assess cost effectiveness to “start from scratch” Assess if a system scan removes threat Assess system changes Be prepared to reboot infected systems Assess when it is safe to claim a system is clean Determine best clean-up method
Customer
Symantec
SYMANTEC VISION 2013
Steps for Troubleshooting a Threat
Help! I Think I’ve Been Hit with Malware 37
ID Threat ID Infected Computers
Quarantine Network
Clean Infection
Post Op
Prepare for non-technical questions Review case timeline
Locate entry point Asses how to close entry point and close if possible Review event and teams involved
Customer
Symantec