So, you’re a sysadmin, and you get a call from that friend and co-worker…we all know that our buddies don’t call the helpdesk, right?
This person sheepishly admits that they got an email that looked maybe a bit suspicious in hindsight, it had an attachment…and they clicked.
Yikes. Now what?
Well, since you’re an EXCELLENT sysadmin, and you work for the best company ever, you’ve done a few things to make sure you’re ready for this day…
- The company has had a business impact analysis, so all of the relevant policies and procedures are in place.
- Your backups are in place, offsite, and you know you can restore them with a modicum of effort – and because you’ve done baselines, you know how long it will take to restore.
- Your team has been doing incident response tabletops, so all of the IR processes are documented and up-to-date. And you set it up to be a good time, so they were fully engaged in the process.
But now, one of your people has clicked…now what, indeed..
- Pull. The. Plug. Disconnect that system. If it’s hard wired, yank the cord. If it’s on a wifi network, kick it off – take down the whole wifi network if feasible. The productivity that you’ll lose will be outweighed by the gains if you can stop lateral spread of the infection.
- Pull any devices – external hard drives, USB sticks, etc.
- DO NOT power the system off – not yet! If you need to do forensics, the live system memory will be important.
Now you can breathe, but just for a minute. This is the time to act with strategy as well as haste. Establish whether you’ve got a virus or ransomware infection, or if the ill-advised click was an attachment of another nature.
If it’s spam, but not malicious:
- Check the email information in your email administration portal, and see if it was delivered to other users. Notify them as necessary.
- Evaluate key features of the email – are there changes you should make to your blocking and filtering? Start that process.
- Parse and evaluate the email headers for IPs and/or domains that should be blocked. See if there are indicators of other emails with these parameters that were blocked or delivered.
- Add the scenario of this email to your user education program for future educational use.
If it’s a real infection, full forensics is beyond the scope of this blog post. But we’ll give a few pointers to get you started.
If it’s a virus, but not ransomware:
- If the file that was delivered is still accessible, use VirusTotal and other sites to see if it’s known to be malicious. The hash can be checked, as well as the file itself.
- Consider a full wipe of the affected system, as opposed to a virus removal – unless you’re 100% successful with removal, repeated infection is likely.
- All drives or devices – network, USB, etc. – that were connected to the system should be suspect. Discard those you can, clean network drives or restore from backup.
- Evaluate the end user account – did the attacker have time to elevate privileges? Check for any newly created accounts, as well.
- Check system and firewall logs for traffic to and from the affected system, as well as any ancillary systems.
If it’s ransomware:
- Determine what kind of ransomware you are dealing with.
- Determine the scope of the infection – ancillary devices, network shares, etc.
- Check to see if a decrypt tool is available – be aware these are not always successful.
- Paying the ransom, or not, is a business decision – often the ransom payments are not successful, and the files remain encrypted. Address this in your IR plan, so the company policy is defined ahead of time.
- Restore files from backup.
- Strongly consider a full wipe of the system, even if the files are decrypted.
- Evaluate the end user account – did the attacker have time to elevate privileges? Check for any newly created accounts, as well.
- Check system and firewall logs for traffic to and from the affected system, as well as any ancillary systems.
In all cases, go back and map the attack vector. How did the suspect attachment get in, and how can you prevent it going forward?
What are your thoughts? I’d love to hear from you – lwallace@microsolved.com, or @TheTokenFemale on Twitter!