Search This Blog

Thursday, January 21, 2016

Malware Management is even spelled out in ISO 27002

I have mentioned many times how Malware Management is a much needed practice for improving an Information Security program and your Security Operations team. If you want to begin hunting and find malware in your environment, you must first learn what and where to look as far as artifacts and IOC's.

It is not just me suggesting you do this, it can also be found in the industry's leading information security framework standard ISO 27002. Below is an excerpt of the standard discussing the need for Malware Management.

A.12.2.1 Controls against malware

j) implementing procedures to regularly collect information, such as subscribing to mailing lists or verifying websites giving information about new malware.

In my Malware Discovery training I teach people to go out and read virus/malware write ups, malware analysts reports and IR firms reports to collect the artifacts and IOC's that you can then populate into your security solutions, scripts or detection and response and incident response practices.

So you should consider adding this to your 2016 list of security goals and objectives to spend the one hour a week to research and read the materials available to start a practice of Malware Management.

You can find a list of Malware Reports from some of the more recognized malware campaigns on our websites:


And read what and how to do Malware Management here:

The Malware Management Framework

By all means, send us links to other good reports so we can share. Generally You can find these reports discussed or released in Articles from RSS Feeds from many of the vendors who work in the IR space, InfoSec Blogs and many podcasts like "Brakeing Down Security" where I have been a guest discussing the subject.

So don't take our word for it, take the advice straight from ISO 27002 and use this to help justify starting a Malware Management program in your organization.

Happy Hunting

#InfoSec #MalwareArchaeology #MalwareManagement

Wednesday, January 6, 2016

For the love of humanity retailers, read the PoS malware reports and stop the BREACHES! Malware Management can save you, seriously!

I have blogged many times before about how Malware Management helps information security professionals and organizations improve their detection, Active Defense and Incident Response capabilities. The Hyatt breach and MODPoS proves yet again Malware Management would have saved Hyatt and many other retailers after Jan 2014.  Retailers must evolve or continue to be compromised.  For that matter, all of us must evolve our detection capabilities or suffer a breach at some point.  The ultimate goal of security operations is to detect an intrusion BEFORE the mass loss of data resulting in a breach and your firms name in the news and possibly new employment opportunities for you.

In October 2015 iSight Partners released another good analysis report on the MODPoS malware.  Much like their first report from Jan 2014 on BlackPoS, one of the main conclusions is the same, the malware installed a new service!  

For the love humanity information security professionals, monitor your systems for the creation of new services!  This is Malicious Detection 101 people.  The one item that by default is enabled and available on Windows systems are the events for services starting, stopping, changing and installing.  Yes, there were many more artifacts in these two malware reports, but one thing is common in both and many other malware reports, a new service was installed and is the core persistence mechanism used in retail Point of Sale (PoS) infections.  Many advanced malware attacks also use a new or existing service to maintain persistence, it's very common technique.

Detect Event ID 7045 or a change of a service state Event ID 7040 and you can detect and stop PoS malware and many other advanced malware dead in their mag stripes.

Malware Management to the rescue!

Take it from someone who has lived there, too many times and caught the malwarians within an hour or so of the initial compromise.  You CAN detect most advanced attacks and many commodity malware infections, but you must practice Malware Management.  Read the malware analyst reports these experienced and seasoned professionals create, for the very reason of educating all of us to improve from real world events and experiences.

Read more on Malware Management here:

Read more on Windows Logging and use several cheat sheets we created to help you begin and refine your Windows logging ability available here:

And of course, use LOG-MD to audit your system, help setup proper logging to gather the needed log data.  Even if you have a Log Management solution, use LOG-MD to refine your logging improving what you collect and help you reduce the noise, the quantity of events and help you reduce your license and storage requirements.  You can get LOG-MD here:

So come on retailers, it is time to get with the times and read the malware reports on your own breaches to learn and improve and better defend yourselves.  Everyone else too.

More Malware Analyst reports are available on our website:

Happy Hunting!