Using DNS Data to Identify Patient Zero Malware
Identifying patient zero malware involves uncovering the malware infection at its source. This requires organizations to find the first endpoint that introduced the malware with the goal of containing the outbreak and eliminating the malware.
In this use case, Splunk Cloud, Splunk Enterprise Security (ES) and the Splunk App for Stream are used. ES is used to assess threat, for incident review, and to create notable events on security domain-specific dashboards to investigate malware. The Splunk App for Stream captures and analyzes DNS data to help identify command and control communication.
Endpoint anti-malware logs, DNS lookup data and web surfing activity logs from proxy server.
Start with Splunk Cloud, add Splunk Enterprise Security (version 4.0 or later) and install the Splunk App for Stream. Once complete, install and configure the Stream add-on to the sources of the wire data. Next, configure the data sources: endpoints anti-malware logs configured to the Malware CIM data model; DNS logs normalized to the Network Resolution CIM data model; Proxy logs normalized to the Proxy object of the Web CIM.
Identify Malware infected hosts
The ES Security Posture and Incident Review dashboards are the starting point to review the current state of malware infection.
The notable event “High or Critical Priority Host With Malware Detected” indicators provide a snapshot of the hosts that are marked as infected by malware.
Determine scope of attack
The focus is on endpoints infected with malware with the signature Mal/Packer, which is used by malware authors to infect hosts with viruses, worms or trojans. The ES Incident Review dashboard lists several hosts with Mal/Packer malware, which indicates a non-isolated issue, which needs to be promptly remedied. While the tier 1 analyst begins cleaning up the malware infected endpoints, the tier 2 and 3 analyst can continue investigating the potential malware outbreak in depth and identify patient zero.
Hosts involved in Command and Control Activity
Mal/Packer is also used often for malicious command and control purposes. The DNS Activity and DNS Search dashboards within ES identifies the hosts communicating with domains that are commonly used to manage communication with malware, hosting malware or serving as an attack post.
By performing a correlation query, the malware infected endpoints that are performing DNS queries with remote command and control servers are determined; which indicates the earliest sign of infection across the environment. A simple search identifies the endpoint that managed to bypass existing anti-malware systems and performed DNS queries to the malware command domain the earliest, yielding the single endpoint (host) - Patient Zero.
Now that Patient Zero has been identified, the analyst can update the active investigation with a note to follow up and take appropriate remedial actions.
Splunk ES was used to assess the malware infection, incident review and create notable events on security domain-specific dashboards to investigate malware. The Splunk App for Stream was used to help identify command and control communication.
For additional details, please refer to the Splunk Enterprise Security Use Case Documentation.