Online and hybrid workplaces have become ubiquitous in the past several years, catering to employees’ digital-first lives with convenience, ease, and minimal friction. The shift to digital- and cloud-first has exponentially increased the information available about employees’ digital identities, as well as the attack surface. But security operations (SecOps) teams cannot keep up with the pace of this change and the heightened security risks of the new environment – according to our new Malware Readiness & Defense Report.
Our benchmark survey of nearly 320 IT security practitioners and leaders shows that organizations are highly aware of the risk that malware infections create for follow-on cybercrime – such as ransomware attacks. Yet most struggle with comprehensive Post-Infection Remediation steps to combat malware-exfiltrated authentication data that threatens the security of critical workforce applications. As technology evolves, the employees’ digital footprints are simply scaling beyond IT’s visibility and control, affecting security posture and causing major headaches for the teams responsible for securing organization’s valuable systems, networks and data.
Let’s look at some of the report’s highlights:
57%
of organizations allow employees to sync browser data between personal and corporate devices – enabling bad actors to steal employee credentials through infected shared or personal devices, while flying under the radar.
54%
of organizations struggle with shadow IT due to employees’ unsanctioned adoption of applications and systems – creating gaps not only in visibility but also in basic security controls.
36%
of organizations allow unmanaged personal devices and 27% allow third-party devices to access business applications and systems – increasing the risk of devices that lack robust security measures accessing sensitive data and resources.
Incomplete Post-Infection Remediation Gives Attackers the Upper Hand
Survey respondents ranked infostealers as a top 3 concern, indicating that security teams are aware of the growing infostealer threat. And 98% agreed that their organization would significantly improve its security posture if it had better capabilities to gain a clear picture of business applications at risk of infostealer-infected devices.
As we saw from the recently released Verizon 2023 Data Breach Investigations Report, web applications are, by far, the type of asset most affected in breaches. Clearly, web-based applications are valuable to attackers because organizations depend on these apps for everything from SSO and payroll to video conferencing and email. SpyCloud’s research shows that every malware infection exposes access to an average of 26 business applications, which makes fast detection and remediation key to disrupting cybercriminals attempting to steal data from these apps to further their crimes.
Attacker dwell time has been increasing, which means bad actors have plenty of time to act. By gaining a complete picture of applications compromised by malware – including stolen credentials, siphoned session cookies/tokens, and target URLs – security teams can improve their mean time-to-discovery (MTTD) and mean time-to-remediation (MTTR) metrics. With this visibility, they can quickly negate attackers’ opportunities to operationalize the stolen data and disrupt follow-on attacks – shortening the organization’s window of exposure.
Yet we found that many security teams lack the ability and speed to identify business applications exposed by an infected device, with respondents ranking this capability below the other remediation steps.
Further, our findings show that many teams stop short of remediating the full risk posed by an infostealer infection because they don’t take complete Post-Infection Remediation steps:
27%
don’t routinely review application logs for signs of compromise
36%
don’t reset passwords for potentially exposed applications
39%
don’t terminate session cookies at the sign of exposure
The lack of action on these exposures leaves “initial access” pathways open for ransomware operators.
Changing Antiquated Practices Requires a Paradigm Shift
Keeping up with the rapid pace of digital expansion and the evolution of technology in the workplace is a fruitless endeavor without changing the traditional ways of malware remediation. To stop ransomware attackers and other threat actors in their tracks, the first problem that SecOps teams must solve is the lack of visibility into infostealer infections on all devices connecting to the network – including managed, unmanaged, and under-managed.
Gaining complete visibility is only one part of the puzzle. The biggest mistake most IT security teams make is thinking of malware as a device problem and stopping at endpoint remediation. Their machine-centric process – identifying the malware-infected device, isolating it and the user from the network, and wiping the machine – only removes the initial connection with the malicious actor.
These steps do nothing to mitigate the impact of the malware-exfiltrated data. By the time the SecOps team reacts (assuming they have visibility into infected devices in the first place), the credentials, session cookies, and other authentication data are well on their way to darknet markets to be exploited.
To stop falling behind in securing the new ways of doing business, organizations must evolve their tactics to an identity-centered approach. Identity-based Post-Infection Remediation is a paradigm shift that goes beyond traditional malware response with additional steps, remediating exposure from the affected applications and users.
Our report clearly shows a disconnect between awareness and concern about the malware threat and the ability to properly mitigate the threat and minimize security impact. This gap validates the need for complete Post-Infection Remediation, especially as our digital lives – and footprints – continue to expand and the human factor remains a key risk driver.
While organizations are slow to adapt their tactics to the new digital landscape, cybercriminals have no problem with speed and agility, innovating quickly and consistently to respond to the new trends. The best way for security teams to turn the tables is with a mindset change – starting with gaining visibility into exactly what access was stolen and then taking all the steps (in an automated fashion) to slam the door on cybercriminals.
