It began as a normal workday in the IT support department. The number of help desk incidents was running low, and...
all of the primary applications were running without critical issues.
I was refilling my coffee when one of the first-line PC support technicians called me over to look at a computer he was working on for an end user. I had done some training with the technical support staff on recognizing indicators of compromise a few months ago, and it was about to pay off in a big way.
He told me that the user had complained that Internet Explorer randomly crashed when browsing the web. It didn't matter what site he visited, and he had removed all of the plug-ins without success.
We launched taskman.exe and found that iexplore.exe was running in multiple instances, even though there were no interactive sessions on the desktop. The support technician had run the typical antivirus scan with no results, and had looked for typical spyware infections, including toolbars and other adware. He remembered that multiple iexplore.exe sessions could be an indicator of compromise from our earlier training, and he thought that the security team should investigate.
It turned out that he was correct, and that this machine had been infected through an Adobe Flash vulnerability. A rootkit was left behind, and our security team was able to isolate the malware and identify the command-and-control (C&C) servers. They worked to determine the extent of data exfiltration and turned the report over to law enforcement, who eventually shut down the C&C servers we discovered.
They eventually discovered that no data had been exfiltrated by using forensic techniques on the malware data files. There was no data breach, and the organization was able to assist in shutting down part of a botnet. That is the definition of a good day in information security by anyone's standards.
The importance of cybersecurity training programs
The primary reason for the success of this intrusion response was how early it was identified by the front-line IT support staff. Had the technician just relied on the typical steps, like the standard antivirus scan or telling the user to turn it off and on again, this could have been a damaging security breach to the organization. The deciding factor in this intrusion response was that he knew what to look for from the simple training that had been provided earlier.
Information security teams need to reach out to resources from other departments within IT to act as force multipliers to be more effective. Training the front-line IT support staff can have immeasurable returns and can reduce the number of false positives that are often turned over to information security for investigation.
This type of training does not have to include full-on forensic investigation techniques, but it should include how to use the basic tools within Windows to determine if a problem should be escalated for further review. It should also include basic guidelines for handling and preserving evidence once a threat has been identified.
Developing a training program for intrusion response can be a time-consuming process, and it may seem daunting to the already overworked security team. However, there are excellent cheat sheets available at SANS for free that can be used to get a jump start on the training program, and to serve as references for front-line support staff after training. These cheat sheets cover the majority of built-in command line tools that can look for indications of compromise on both Windows and Linux machines.
The advantage of using built-in tools is that they are already installed, and they will preserve the state of the computer being investigated. They also reference the free tools available from Sysinternals that do not need to be installed, and that can be helpful in finding malware on a Windows PC.
The time spent to develop the training program will have an immediate payback. The front-line support staff will be able to integrate the tools and general Windows knowledge to better support their users from a maintenance perspective, as well as with intrusion response. They will be able to make better decisions about when to escalate calls for further forensic investigation. They may even become interested in information security as a career, and train to become a member of the security team in the future.
Discover whether CISOs should share the responsibility for a security incident
Learn more about improving threat detection and incident response
Find out how to build an incident response toolkit