Using DNS Data to Identify Patient Zero Malware

Identifying patient zero malware involves uncovering the malware infection at its source. This requires organizations to find the first endpoint that introduced the malware with the goal of containing the outbreak and eliminating the malware.

Workflow

Identify Malware infected hosts

The ES Security Posture and Incident Review dashboards are the starting point to review the current state of malware infection. 

The notable event “High or Critical Priority Host With Malware Detected” indicators provide a snapshot of the hosts that are marked as infected by malware.

Determine scope of attack

The focus is on endpoints infected with malware with the signature Mal/Packer, which is used by malware authors to infect hosts with viruses, worms or trojans. The ES Incident Review dashboard lists several hosts with Mal/Packer malware, which indicates a non-isolated issue, which needs to be promptly remedied. While the tier 1 analyst begins cleaning up the malware infected endpoints, the tier 2 and 3 analyst can continue investigating the potential malware outbreak in depth and identify patient zero.

Hosts involved in Command and Control Activity

Mal/Packer is also used often for malicious command and control purposes. The DNS Activity and DNS Search dashboards within ES identifies the hosts communicating with domains that are commonly used to manage communication with malware, hosting malware or serving as an attack post.

Pinpointing Patient-Zero

By performing a correlation query, the malware infected endpoints that are performing DNS queries with remote command and control servers are determined; which indicates the earliest sign of infection across the environment. A simple search identifies the endpoint that managed to bypass existing anti-malware systems and performed DNS queries to the malware command domain the earliest, yielding the single endpoint (host) - Patient Zero.

Active remediation

Now that Patient Zero has been identified, the analyst can update the active investigation with a note to follow up and take appropriate remedial actions.