Often most people’s immediate response to a malware infection is to disconnect a host from the network. While this is a great precautionary action to prevent malware propagation, it destroys some valuable data that can be used for further investigations. This includes:
- Active network connections
- Active processes which rely on active network connections
Scenario: Lets assume, that an attacker has a reverse shell on a host in your environment. If we disconnect the host from the network, that established network connection dies. Therefore, you have no way of identifying who the attacker is, what their IP address is, and you have no way to prevent further communications by means of blocking the attackers IP address at the firewall level.
As a result, disconnecting an infected host is not the first thing that should be done when responding to an incident. Information gathering and the preservation of that information is.
The information that should be gathered consists of time stamps, network connections which are listening and/or established, system information, current running processes and users in the administrators group.
I’ve created a pretty speedy script (<5 seconds run time) which gathers all of this information in a text file named $hostname.txt on the Desktop of the current user. The script can be found here.
After this information is gathered, the next steps in the incident response procedure can be taken. This is where you can determine whether network isolation is necessary or not.
Here is a sample of the output generated for my script: