As malware becomes more advanced and prolific, we have to think about a new incident response framework to stop infections from becoming full-blown security incidents.
Infostealer malware, in particular, has become so sophisticated that not only can it infect systems undetected and steal authentication information like credentials and web session cookies, but some strains can infect a machine, siphon information, and remove themselves in seconds. Using this form of dissolvable malware, bad actors can steal virtually anything and everything that can be used to gain access to enterprise networks, steal and encrypt files, and launch costly follow-on ransomware attacks.
To properly remediate the risks associated with malware infections, malware incident response steps have to adapt to extend beyond wiping the infected device. Historically, malware incident response has been machine-centric, focusing on identifying the malware, removing the infection, and reimaging the device. But this approach ignores a major factor when it comes to the malware infection itself: addressing the stolen credentials and cookies that allow criminals to bypass MFA, access critical workforce applications, and steal data that aids follow-on attacks.
To properly address the malware threat, we have to make a shift to an identity-centric approach to malware response. Ensuring the device is cleaned and the malware is removed is necessary, but that doesn’t do anything to address the stolen data that ends up being traded and sold on the criminal underground.
Taking additional steps that shift your infection response to be identity-centric can mitigate organizational risk from exposures tied to the malware victim’s identity, and minimize the impact this compromised data and access can have on your business, while also thwarting potential ransomware attacks.
Here’s what an updated malware incident response plan looks like.
7 Incident Response Steps to Fully Remediate Malware Infections
The following malware incident response steps are an addendum to your malware incident response plan to make for a more comprehensive approach to remediation, and can be incorporated into your existing IR runbooks.
Step 1: Isolate the Device
If the detected infection has occurred on a device your organization manages, disable the network access of the infected endpoint to help prevent potential lateral movement. This access can often be restricted using the quarantine features of an Endpoint Detection and Response (EDR) solution, through the corporate domain, VPN and/or SASE configuration, or may sometimes require an individual to manually disable network access.
If your organization uses asset tags on corporate devices, be sure employees know they can call the listed phone number if they are locked out of their device and unsure of what to do. If you don’t use asset tags, incorporate them going forward and be sure they include a corporate “disaster recovery” phone number.
Step 2: Identify the Type, Scope, and Timeline of the Malware Infection
If you have access to the system, it is highly recommended to review endpoint security logs or run a modern antivirus solution to detect the specific malware family involved. Once the malware type has been identified, consult security tools, such as VirusTotal, to confirm the typical behavior of this malware and the risk it brings to your organization.
Modern malware is often immune to traditional methods of identification through Indicators of Compromise (IOCs) like hash values, as executable files are often unique to each victim and Command and Control (C2) infrastructure may be dynamic and rotate quickly. You may also need to include behavior-based detection, such as validated YARA rules, in your detection process.
Many malicious programs will attempt to spread across local domains or networks and infect other devices. Closely review the networked devices and file systems that the user and device had access to, forming an action plan to determine if, and when, the actor attempted to access other corporate resources. If you suspect lateral movement, consider expanding your scope during the isolation process.
Step 3: Create an Image of the Infected System
Step 4: Remove the Malware - If Possible
Use your company-sanctioned detection and remediation tools to remove potentially side-loaded, persistent malware like Cobalt Strike beacons. And while you also have the option of recovering or reinstalling the operating system, it may be best to reformat the hard disk and perform a fresh installation of the operating system or reimage the computer.
Some forms of malware, like the dissolvable, asymptomatic malware we mentioned earlier, are sophisticated and even harder to detect. If this type of infection occurs, the malware may have already removed itself from the device, but you will still need to remediate the exposed user and applications.
Oftentimes, this would be where SOC teams would conclude their actions for tickets related to malware infections.
However, Post-Infection Remediation provides a framework of additional steps to existing malware incident response security protocols, designed to negate opportunities for ransomware and other critical threats by resetting the application credentials and invalidating session cookies siphoned by infostealer malware.
Step 5: Reset Passwords and Usernames for Affected Applications
Make sure the employee signs out of all devices – particularly on corporate applications that may have privileged access into your domain. Ask the employee to use a device that hasn’t been affected by the malware to immediately reset their passwords for applications whose credentials were siphoned by the malware. Advise the employee to never use a compromised password or any variation of it again and be sure to set a unique, complex password for each application (preferably using a company-provided password manager).
If possible for high-profile users, consider the laborious effort to change compromised employee SSO usernames to reduce the impact of a potential password familiar to the threat actor from being reused by that employee in the future.
Step 6: Invalidate Web Sessions
In addition to stealing credentials, infostealer malware also siphons device and web session cookies, potentially leaving the victim’s accounts vulnerable to session hijacking through device impersonation. Changing the application password does not guarantee active user sessions or trusted device tokens will be invalidated. It may be necessary to contact the third-party cloud service provider and request that the compromised user sessions be invalidated.
Step 7: Review the Integrity of Impacted Applications
Starting with the list of impacted applications outlined in steps 5 and 6, review all activity and access logs for the associated users within these applications. Confirm all detected activity is coming from expected IP address ranges and geographies, and all behavior fits the expected profile of the user.
Similar analysis should be performed for all associated domain users. Any access to sensitive data, whether it is expected or not, should be closely scrutinized and if it is determined to be unexpected, should be treated as an incident and run through the company’s cyber incident response process and protocols.
The Importance of Post-Infection Remediation as Part of Malware Incident Response Plans
Optimized remediation enables the SOC to seamlessly and comprehensively neutralize the risk of a ransomware incident that can result from malware exposures, thus addressing a common blind spot in ransomware prevention strategies.
This approach to more complete malware infection response is enabled by SpyCloud Compass. SpyCloud alerts security teams each time a malware infection arises on a device accessing your workforce applications, whether the device is corporate-issued or unmanaged. The alerts deliver definitive evidence of entry points to your organization: detailed information about the infected device, along with the siphoned authentication details for the applications that matter to your business – password managers, security tools, marketing and customer databases, learning and collaboration applications, and HR and payroll systems, to name a few.
Having visibility into data siphoned from employee, vendor and contractor machines infected with infostealers allows SOC teams to effectively close this entry point into their organization, which reduces the enterprise’s risk of ransomware attacks. With Post-Infection Remediation, the required action becomes clear to reset the credentials and invalidate the sessions for every exposed application and user.
By incorporating Post-Infection Remediation as part of your malware-infection response, SOC teams can:
- Disrupt cybercriminals attempting to harm your business
- Significantly shorten your exposure window for ransomware and other critical threats
- Effectively stop malware exposures from becoming full-blown security incidents
Takeaways
- Malware incident response needs to shift from a machine-centric to identity-centric approach to properly address the risk of stolen credentials and cookies. Cleaning the infected device is not enough.
- A complete malware response plan should include steps to reset passwords and usernames, invalidate web sessions, and review access to all impacted applications to close entry points.
- Visibility into data exposed from employee devices, even those unmanaged, allows security teams to effectively remediate risks from infostealer malware.
- How can I incorporate Post-Infection Remediation into my response plan? Tools like SpyCloud Compass can alert you when employee devices accessing your applications get infected. This provides evidence needed to take identity-centric remediation steps like resetting credentials and invalidating sessions across all exposed applications.
