7 Tips to Reduce the Risk of Handling Malware
Many people call any program that an attacker uses to their advantage, including publicly available tools, “malware.” That is not a good practice as the term “malware” is far too generic and makes its handling much riskier than needed.
Further categorizing the malware better identifies the attackers’ goals and answers the question, “What does the malware do?” It also serves the secondary benefit of posting a sign that says, “BEWARE: This Dog Bites!”
Malware triage and handling is a risky undertaking that should be performed by trained specialists in the proper environment and only when necessary. Analysis of unknown files and known malware both pose significant risks. Investigators can unknowingly infect their systems—and the systems of others—and cause extensive damage.
The results of malware analysis can help generate Indicators of Compromise (IOC’s) that can then be used to sweep a larger population of systems. However, nothing can be generated if the investigators’ system is compromised and/or severely damaged.
The majority of organizations do not possess the budgets or staff for malware analysis and choose instead to utilize the services of third-party subject matter experts. Even then serious risks exist in the collection and transportation phases of this process that should be identified and acknowledged. Protocols should address all aspects of dealing with malware, from the pre-analysis stage to final storage or disposition when case is closed. These protocols should include procedures for labeling transport media containing malicious files.
Listed below are 7 tips (most of them learned the hard way) that may help to reduce the risk of an unintentional compromise when transporting malware to internal analysis teams or third-party vendors.
#1) Use a CD with a Large Bold Font
A co-worker is much more likely to see a CD with the large words stating “THIS WILL KILL YOUR NETWORK” in bold print than the word “malware” written in 4-point font on a small USB.
#2) Handle Malicious Files as a “Non-Privileged” User
This should seem obvious, but reality dictates that we still operate in environments in which even the most well-intentioned system administrators do not use two accounts (privileged / non-privileged) and seem want to be the most helpful at the worst of times.
#3) Underscore Malware File Extensions (Bad.EXE)
This allows members of the team “in the know” to recognize malware samples in a directory at a glance. Those outside the team may not know this, but, if they are the ones in possession of the sample, it’s usually already too late.
#4) Store Files in a Directory that Denies Execution
Most directories storing files on a network to not deny their execution; therefore, goes without saying the directories should reside in storage systems outside the reach of unauthorized and unknowing personnel.
#5) Only Allow “Non-Privileged” Access
Proper configuration of storage devices to only allow non-privileged access will hopefully avoid all the potential disasters envisioned in Tip #2 above.
#6) Store Files in a Password Protected or Encrypted Archive
Samples which are retained for extended periods of time should be stored in specially-designated encrypted archives. This lessens the risk that 24-months from now, new hires perusing your systems during their lunch break will discover the files and ask themselves, “I wonder what this file does?”
#7) Use an Identifiable Password for Stored Malware Samples
This is not meant to be a security strategy in an of itself, but we can only hope beyond hope that if an unknowing employee must use a password such as “INFECTED” or “MALWARE” to access a storage system it will assist them in discerning its contents. If not … well … it’s never too late for a career in food service.
(Although, as the complexity malware expands exponentially and the demands placed upon us become increasingly stressful, I have to admit there are those times when a career in food service seems actually quite appealing to me.)
The benefits of analyzing unknown files and known malware can be significant during an investigation but should always be commensurate with the known risks. Knowing that the risk can be mitigated by using third-parties can bring us 90% of the way.
Knowing how risks can be further mitigated when transferring our malware samples to these external experts should help to take us the final 10% of the way and protect all those involved in the process.