Last year, the number of global malware attacks reached 6.06 billion, a year-over-year increase of 10 percent.
While security teams and company leaders focus much of their attention on the mitigation of ransomware, infostealer malware – the quiet precursor – slips through the cracks.
Infostealer infections are often notoriously difficult to identify and seem to have no immediate consequences. In fact, large corporations, regardless of industry, may suffer from malware for years before an exposure is detected.
Many organizations overlook that ransomware is often a direct result of stealer malware infections. Cybercriminals use the information siphoned from exposed devices to carry out attacks, making proper malware remediation essential for a robust security strategy.
What’s worse, as enterprises deploy innovative solutions and tactics to prevent infection, companies with work-from-home policies and employees using BYOD or personal devices to access corporate applications often create new malware opportunities.
To combat this silent threat, enterprises need a new, more comprehensive malware remediation process that accounts for dark web activity and provides more visibility into often unknown and ephemeral malware infections.
The evolving malware landscape
One reason malware is difficult to detect is that there are very few indicators when infostealer malware compromises a device.
For example, if an employee accidentally clicks on a link holding infostealer malware, the malware can install, siphon data, and uninstall itself in five to 10 seconds, leaving little to no evidence of the infection. In a matter of seconds, the employee’s credentials and session cookies are in cybercriminals’ hands.
Likewise, popular infostealers like RedLine Stealer malware are often deployed through phishing emails, links in social media comments, malvertising, or malicious YouTube “tutorials.” If an unaware employee downloads the malware, bad actors have free reign to use the stolen credentials and data to impersonate the user, decreasing the odds that they will be identified as suspicious.
The sophistication of modern malware
Another crucial aspect to consider is the ongoing threat of exposed data. Traditionally, wiping known malware from the infected device is the most common remediation approach, but it fails to address the already-siphoned information now in the hands of Initial Access Brokers (IABs).
IABs are individuals or groups who package malware-stolen data and sell it on the darkweb. Cybercriminals buy this freshly stolen data and are granted all the information needed for initial network access, making it easy to bypass industry-standard prevention methods like multi-factor authentication (MFA) and deploy ransomware.
The impact of stolen data
As if that wasn’t enough, data sold by IABs is valuable as long as it has not been reset. For example, although the 2019 Facebook breach exposing millions of data points happened several years ago, it’s possible credentials stolen in that attack are still active, making it an ongoing threat to that platform, its employees, and its users.
A recent rise of IABs illustrates the underlying factor driving the increasing frequency of malware attacks – a thriving underground economy that weaponizes and monetizes network access.
Current cybersecurity measures are unable to close the gaps that lead to initial malware infections and fail to account for the fallout after a device has been compromised. While endpoint detection and application security monitoring are being used as temporary solutions, it’s not enough.
Comprehensive malware remediation strategies
While employee education is the essential first step for a robust security defense, everyone makes mistakes. With the increasing frequency of malware attacks, it’s getting harder and harder to entirely avoid infection. Instead, leaders should proactively mitigate the threat with a Post-Infection Remediation (PIR) approach.
PIR is a series of steps woven within standard malware infection responses that aims to address the lasting threat of exposed data.
The approach works like this: once the Security Operations Center (SOC) has identified an infected device, the IT team takes the standard first step of clearing the infected device. Enterprises in parallel use dark web monitoring tools and human intelligence (HUMINT) teams to scan the underground for stolen information. The solutions and teams find the user data and trace it back to the initially compromised asset.
Once armed with this knowledge, SOCs begin remediating all compromised credentials and applications impacted by the attack. This can include third-party workforce applications such as Single Sign-On (SSO), code repositories, payroll systems, VPNs, or remote access portals. If all exposed data is reset, it’s unlikely a full-blown ransomware attack will occur.
By going straight to the source of the threat – the dark web – SOCs gain insight into all exposed devices and applications. SOCs may not monitor personal devices, but if the stolen data is linked to said device, teams can act to remediate these previously unseen entry points, better protecting the organization and the user.
The steps that make up a more comprehensive malware remediation process.
PIR is more comprehensive than legacy, machine-centric malware response processes. Where these methods emphasize device remediation and neglect to consider user identity, PIR takes a more identity-centric approach, considering the personally identifiable information (PII) at risk.
Using this approach, leaders and executives can equip themselves for future success against evolving malware practices. Regardless of whether infected devices are being monitored, IT teams will have full visibility into the scope of the threat, significantly shortening the exposure window for ransomware and other critical threats while closing previously unseen security gaps.
Note: A version of this article was originally published as a contributed article in the 2023 RSA Special Edition of the Cyber Defense Magazine.
Stay up to date on the latest cybersecurity trends and strategies by subscribing to our newsletter.
Keep reading
