Single malware infections happen to organizations of all shapes and sizes; they happen so regularly that it’s almost routine.
Multiple malware infections are less common but portend more risk, and that high level of risk requires a more rigorous analytical approach.
Security tools such as traditional antivirus (AV), next-generation antivirus (NGAV), endpoint detection and response (EDR), next-generation firewall/intrusion prevention systems (NGFW/IPS) are usually equipped to detect and remediate commodity malware. But security controls, while very useful, will fail.
Commodity malware — like everything in cybersecurity — is a moving target that can change from one incident to the next. Payload signatures, initial exploitation techniques, and post-compromise behaviors change with time, meaning the security vendor’s detection technology is in a continuously reactive posture.
Auto-quarantining commodity malware using a security control doesn’t necessarily mean you’ve managed all related risk. Cryptomining malware and ransomware families have the capability to perform lateral movement post-compromise with little or no human interaction.
This article focuses on incident response best practices in the event of a malware outbreak involving follow-on network intrusion behavior, specifically lateral movement.
Assumptions
This article assumes that you’ve done at least minimal security preparation in advance for a security incident; namely that you’ve aggregated all security tool logs in a security information event management (SIEM) tool such as Blumira for investigative purposes and endpoints are protected with at least a traditional antivirus solution.
These best practices are organized according to NIST’s Incident Response Lifecycle.
Detection and Analysis
Validate the incident. False positives happen even with the best security technology. It’s helpful in any security incident response investigation to find more than one source attesting to an event. Correlate information from detection and prevention tools, such as antivirus alerts, with multiple sources to give the investigation’s conclusions greater confidence.
Do some research. Attribution matters, as the popular industry phrase goes. Attempt to assess the general nature of the malware by Googling relevant metadata (threat name, file hash) provided by the initial alerting mechanism. That can yield additional metadata, such as command and control infrastructure details or similar threat intelligence, that you can use to analytically “pivot” the investigation in new directions.
Scope rigorously. Scope is a difficult but critical stage in a multi-infection scenario. You need to understand what devices or network segments are at risk in order to effectively contain an active security incident.
Identify shared resources — Active Directory infrastructure being the most common in a Windows environment — or network artifacts, such a common local administrator password used across all endpoints. External attacker infrastructure is another predictable chokepoint that you can use to pivot the investigation and successfully scope a multi-infection security incident.
Another scoping best practice is to analyze collected data for signs of lateral movement to or from compromised devices, ideally through a cloud-based SIEM. Ultimately, you want to form the attack’s data profile to understand what resources were impacted. The subsequent containment, eradication, and recovery stages all hinge on rigorous scoping up front.
Containment
Use dynamic blocklists. Dynamic blocklists are an excellent example of a network-based containment technology. Blumira supports several next-generation firewalls that you can configure to perform this containment step automatically. This severs the connection between external attacker infrastructure and compromised systems within your organization. Doing so can complicate if not eliminate the malware from receiving updated instructions.
Employ host-based isolation. You should consider this feature when making a purchasing decision, especially for cloud-based endpoint security products. It’s especially useful when company devices are operated outside of the organization’s physical workplace. Isolating a compromised host means the attack can no longer use the device and thus has fewer options for launching new follow-on attacks, command and control, and data exfiltration.
Eradication
Preserve the evidence. Mature organizations will want to forensically examine compromised devices for cyber threat intelligence purposes. The data profiles of previous attacks will inform new detection signatures that will speed up the incident response cycle if a similar attack occurs again in the future. It’s also essential for cyber insurance payouts.
Recovery
Rebuild the OS or re-imaging from a pristine gold image eliminates most malware persistence capabilities.
Reset user credentials to eliminate the possibility of attackers re-using compromised credentials dumped from memory or stored in the Windows registry.
Post-Incident Activities
Monitor for suspicious activity following the recovery stage of incident response to ensure the risk posed by the malware is fully managed.
After-action reviews allow incident responders, stakeholders, and internal partners within an organization to establish lessons learned to improve future incident response events.
How Blumira Can Help
Blumira’s cloud threat detection and response solution alerts your team about suspicious behavior that leads to security incidents, like malware infections — and provides recommendations on next steps. Test it out with a free account.
For more information on how to develop an incident response plan for malware infections, watch our on-demand webinar.