Answering the big Three

3 Important Things

When analyzing a system that has been hacked or believed to have been hacked, regardless of the processing system, there are 3 questions that must be answered. The responses to these questions may change or end the continuation of the analysis.

• Is there a malware that is actively in the system?

• Is there any suspicious internal or external communication?

• Is there any persistence?

Is malware activily present?

If there is anything malicious that is actively running in the system, you may conduct a backward analysis to investigate how it came there in the first place. The easiest way to do this is conducting a process analysis. We will teach you the details of process analysis in the future. However, to give a short example: a “powershell.exe” child process under an “excel.exe” process is suspicious and must be investigated.

Does suspicious internal or external communication exist?

An attacker must form an interaction with the server in order complete procedures like controlling the system or extracting data from it. This interaction will form network traffic. An anomaly determination can be conducted by analyzing the connections made in that system currently and in the past. For example, in the case of a connection being established with an IP with a bad reputation, or data traffic at rates of large GBs between a certain IP, or connections made between anormal ports can be cases that should be carefully investigated.

Is there presence of persistence?

When the actions of the attacker until this day are observed, it can clearly be seen that the attacker aims to be permanently present in the system that has been taken over. The reason behind this can be the fact that the attacker may not have been able to complete a certain transaction quickly and may need to return to complete it later and the thought that he/she should leave an open door because he/she might need it in the future again. During your analysis, you may not be able to determine an active malicious presence or suspicious traffic. Maybe the attacker has kept a backdoor that can trigger itself once a week. Thus, you must know the procedures used for permanence and you must examine these within the system.