Investigating Cyber Incidents Using the Security Stack - VMRay

Investigating Cyber Incidents Using the Security Stack

Dec 17th 2021

Investigating Cyber Incidents Using the Security Stack

By Kenneth Vignali, Incident Response Expert


As a seasoned digital forensic and incident responder, I have come to appreciate the value of certain logs from parts of an organization’s security stack. Before investigating any cyber incident, it is extremely critical to ensure that each device and solution is capturing the right logs. Just like the human body, a doctor needs to assess your entire cardiovascular system to ensure there are no other root causes that could have contributed to a heart attack.

A Typical Security Architecture

Without getting overly complicated, an organization’s typical security architecture includes the following:

  • Firewalls
  • Routers
  • Switches
  • Email filtering and security solutions
  • Endpoint security solutions
  • Web proxy and filtering solutions
  • Server security and audit logging
  • Intrusion prevention and detection devices

Malicious Emails

Now, we can get very deep into the weeds with the different security platforms in an environment, but for the purposes of this exercise in investigating an incident, we will focus on a malicious email that had an attachment that contained malware. The key points of data we will need from the security stack would be in the web proxy logs, firewall logs, email filtering solution, and potentially the end point security logs if it caught the malware.

The Example of Emotet

Threat actors love sending malicious emails, they just work in many cases, and they are highly lucrative once they get the user to respond or in this case, click on the malicious attachment. In this review, we will review CSIRT activities as the example of CSIRT activities as the example of Emotet malware infections that get into networks via malicious emails. Security Magazine ranked Emotet as #6 of the Top 10 Malware in September 2020.

When Emotet was becoming a major threat, my security team was unable to adequately lock down the company’s current email security solution because it was incapable of stopping these threats. Once a user received a malicious email, we discovered that after they opened the malicious word document and enabled macros, it would begin downloading other malware, which at the time contained banking trojans. Many endpoint security solutions were not capable of detecting this threat. Most of the time, we would detect this activity through the intrusion detection servers located at the perimeter of the network. As with the doctor example, our security teams frequently catch things through the combination of several log sources that ultimately tell a story such as an unusual amount of data being sent out, or an endpoint is communicating outbound to a malicious IP address and/or domain. The incident response team knows the computer is infected at that point, but the data cannot leave the company as it is being blocked by our intrusion prevention devices.

Armed with this knowledge, we then look at the endpoint and scan it with additional tools looking for other signs of compromise. If the anti-virus did not detect it, another solution might, and we can take the original email and capture the attachment so we can study the malware and find additional indicators and behaviors from it, which we can then use to create additional rules for our security stack to detect and prevent it from moving forward.


The Need for a Safe, Off-Network Malware Analysis Environment

One key consideration for security teams and incident responders is ensuring you have a safe, off network environment in which to analyze malware and potentially malicious attachments. One of the most cost-effective solutions and expedient is to invest in a hypervisor-based malware sandbox, which allows you to ingest your data safely while protecting your company from accidental data leaks, such as if you upload to virus total which is a public repository that anyone, both good and malicious actors, can access .

Once the intel team and incident response team understands the capabilities of the malware and how it entered the network, they can then update their response plans as well as inform the defenders, usually a security operations team, on how they can detect it and prevent it from spreading in the future.


Malware Awareness – EMOTET Resurgence (last update: March 2020), by TREND MICRO

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator