Author: Nobel Tan, Head of Security Operations
Before we share how we review incidents, it is important to understand why we need to review every incident submitted by the community.
Malware can easily infiltrate computers when users are just browsing through a website that had been compromised. The most dangerous scenario is when a zero-day exploit is distributed via online downloads. Other common vectors for malware distribution are email and removable disks .
Practically, there isn’t a foolproof solution that can stop zero-day exploits. However, if caught early, they can be quickly contained to prevent affecting other users. The key lies in how swiftly the Indicator of Compromise (IOC) can be identified and shared among all security service providers.
What Can Compromise Your Online Security?
Most people believe that malware is just a virus, but viruses only make up a tiny portion of all malware. Malware comes in many different forms and can be distributed in lots of different ways.
We list a few of the most common forms of malware below:
1. Cryptojacking: An increasingly common malware usually installed by a Trojan or website download. It allows an attacker to use your computer’s resources to mine cryptocurrencies like Bitcoin or Monero.
2. Keylogger: This is a piece of malware that captures the user’s keystrokes so the attacker could obtain sensitive information such as usernames, passwords, credit card details, and other personally identifiable information (PII).
3. Ransomware: A form of malware that locks a victim out of their device. It also encrypts their files with the intention to force the victim to pay a ransom to regain access to the original files. Most of the ransomware demands payments in hard-to-trace cryptocurrency.
4. Trojan: A trojan is one of the most dangerous types of malware because once it infiltrates your system, the attackers would gain unauthorized access to your computer through network backdoors.
5. Virus: A virus is a piece of malicious code that attaches itself to a computer program. When executed, it replicates itself by modifying another program, infecting it with malicious code.
The Review Cycle
Most incidents reported through our portal will be reviewed by in-house Security Analysts or the Sentinels. The Sentinels are a group of security experts that have volunteered to review incident reports and provide their analysis. Their verdicts decide whether the data reported should be blacklisted or whitelisted based on their research and the provided evidence.
We also have a 2-tiered review process because the decision to release reported data to our Threat Reputation Database (TRDB) lies solely with Uppsala. The reason for that is two-fold. First, we need to make sure the information reviewed are legitimate and verifiable. Second, we need to minimize the potential of including False Positives (FP) in our critical threat information database.
Figure 1 below shows a flowchart displaying how a reported incident would be reviewed by Uppsala Security Analysts and the Sentinels.
What Do We Find?
For any reported URL, our Uppsala Security Analysts will access the website through an isolated sandbox environment to determine if there is any malicious activity through any downloaded files. Next, we would review the source code of the web pages to determine whether there is any ill intent coded in the scripts, or any content that could potentially alter any data in transit.
We would also look for the possibility of any impersonation of a legitimate website. If we discover any unique source code signature, it will be used as a lookup variable on third-party Internet archives to find other matches and web page history.
The WHOIS information will also be used to determine the actor’s location and to look for any other malicious websites being hosted in the same facility.
The wallet address is usually anonymous unless there is proven information that it belongs to a certain entity like known crypto exchanges. We depend on the evidence submitted by any reporter to determine if a crypto address is used for any malicious activities. We have some internal tracker tools to trace the movement of crypto funds specifically for Bitcoin and ERC20 tokens. The ability to track other tokens would depend on future roadmap and developments.
Malware is easier to analyze due to the availability of tools and techniques. We use third-party sandbox technology to capture Operating System (OS) events and review for known signatures of system file modifications, registry edits, network callbacks, and other information that might reveal any malware infection. Sometimes static analysis and reverse engineering could be used depending on the nature of the malicious file.
Emails or email addresses are usually correlated to known phishing campaigns. Email Multipurpose Internet Mail Extensions (MIME) are key data for finding known signatures of malicious email activity. The sender credibility will also usually flag indicators such as Sender Policy Framework (SPF) , Domain Key Identified Mail (DKIM ), and Domain-based Message Authentication Reporting & Conformance (DMARC) . Most phishing emails will include phishing URLs that also serve as indicators.