It Ain’t Over Til It’s Over: Why Post-Infection Remediation Is Needed to Truly Resolve Malware Infections

The cost of cybercrime to businesses in the U.S. during 2021 was nearly $7 billion, and ransomware is leading the charge. News feeds seem to be all ransomware all the time, with a sprinkle of affiliated criminal enterprises. In 2022, more than 4 billion malware attempts were recorded. Not only that, no company size was immune. For maybe the first time, cybersecurity is being talked about from the board level on down.

Despite 86% of businesses increasing their security budgets to try to prevent it, 90% of businesses we surveyed told us they were affected by ransomware in the last 12 months, with most two or more times. Many are just starting to feel like it’s only a matter of time until they have to deal with being hit themselves.

Ultimately, ransomware is a malware problem. It’s just not the malware problem most of us realize. As ransomware operators have become more sophisticated, they’ve started outsourcing parts of their campaigns, including access. Stealer types of malware siphon credentials, system info, and cookies, which are then sold to ransomware syndicates to perform their attacks.

Malware Visibility Beyond the Device

Here’s the deal though, frequently those malware infections happen outside the traditional perimeter. They happen on home computers, or maybe a contractor gets infected. With browsers syncing passwords, even those unmanaged or under-managed machines are enticing targets for initial access brokers. The personal computer that’s synced everything from a work browser is almost never visible to security teams. And you can’t protect (or fix) what you can’t see.

Even for teams who have excellent visibility, the response focus usually ends up being on the device itself, but the most critical systems and applications don’t even sit on local machines anymore. Think of everything we use the most. Messaging apps, CRM systems, ticketing, code repositories, inventory, accounting, and more…everything is accessed via the cloud with credentials!

Better protecting ourselves really does require more than just wiping a laptop. Security teams need to be able to see what was actually stolen and how to prioritize the most critical exposures. Applications are as important to protect as devices themselves. So how do we do that? Treating the earliest signs of the disease instead of late stage triage by getting better visibility into initial access vectors is the most proactive approach. Ransomware is a challenging problem, but if we take away these criminals’ biggest source of targeting information, we can stop attacks before they happen.

To give security teams visibility into actual infections and early signals of potential ransomware attacks, we’ve expanded SpyCloud’s Enterprise Protection solutions with the launch of SpyCloud Compass, a first-of-its kind ransomware prevention solution.

Steps to Mitigate a Malware Infection Causing Further Harm

Since wiping the device doesn’t end the impact of the infection, teams can now apply SpyCloud’s Post-Infection Remediation workflow via the Compass solution to plug the gap in their process before it’s exploited further by cybercriminals.

Post-Infection Remediation is SpyCloud’s new, critical addition to malware infection response that enables security teams to finally understand, visualize, and act on the full scope of the infection’s threat to the business. It enhances existing incident response protocols with additional steps including resetting passwords and invalidating sessions for critical workforce applications compromised by an infostealer malware infection. This enables security teams to quickly remediate much more than the infected device, re-securing affected applications and closing entry points for ransomware attacks.

Compass helps enterprises combat precursor infections by identifying definitive evidence of malware-infected devices, including exposed users and applications that cybercriminals use to walk right into your network.

Identify soft targets outside of corporate oversight: Gain visibility of threats beyond corporate control, including employees’ and vendors’ unmanaged and under-managed, malware-infected devices that are used to access workforce applications.

Illuminate the wider attack surface: Identify your commonly used corporate applications, such as SSO, CRM, payroll systems, VPN, security tools, and more that have exposed authentication details from a malware infection and could serve as an entry point for ransomware.

Accelerate and bolster incident response: Shortcut the incident response process by assessing the scope of a threat at-a-glance and prioritizing high-risk device and application exposures.

Reduce your risk of ransomware: Discover hard-to-detect malware infections that can serve as precursors to ransomware and respond with SpyCloud’s Post-Infection Remediation to reduce your risk.

How SpyCloud Compass Supports SOC Teams for Proper Response to Malware

Let’s take a look at several situations where Compass enables security teams to conduct complete Post-Infection Remediation.

Scenario #1:

Your security team has very strict “Bring Your Own Device” (BYOD) policies and guidelines regarding security tools on managed, corporate devices. So is there still corporate risk?

Yes. A common finding is that many organizations have strict BYOD policies in place and IT maintains security updates to help keep the workforce safe from malware. However, attacks continue to slip through the cracks because, as mentioned, security teams don’t know what they can’t see.

Let’s say a sales representative is getting ready to travel for a customer meeting. He is in a hurry to prepare for the meeting, so he uses his personal laptop to log into the company’s CRM database. It turns out that his personal device is infected with an infostealer malware. Using session cookies siphoned by the infostealer, the criminal can keep the CRM session active and undetected, allowing the bad actor to bypass the victim’s CRM login and MFA and gain access to confidential customer information. 

Using traditional ransomware prevention tools, while the malware infection itself may have been identified, its origin and the compromised authentication credentials and web sessions would not have come to light. But with Compass, SOC teams can now pinpoint each application the user accessed on his personal device, which gives the security team a more clear and accurate picture of the full impact of the infection, as well as the ability to take the appropriate action to remediate all entry points to the organization.

Scenario #2:

Your company allows some usage of personal devices so your security team maintains endpoint security tools, monitoring applications, and requires MFA. Your employees are maintaining proper security, right?

Not necessarily. One challenge we are seeing from some organizations is what we’ve coined “under-managed devices,” which describes corporate devices that are not fully up to date on their OS, security and app updates, etc. These devices leave a vulnerable access point into a corporate network. Surprisingly, Kaspersky found that nearly half of surveyed employees refuse to update their corporate devices. Many reported they wait to see if other users have any challenges after making the update, while 40% said they don’t think that it is their responsibility to perform device updates.

Before Compass, cybercriminals could have walked right into your network through under-managed devices because they have no problem taking full advantage of the lag and friction caused by this human behavior. With the insights Compass provides on malware-infected devices, including those that are under-managed, enterprises can now proactively address this critical blindspot in their ransomware defenses. Despite employees’ lack of proper security hygiene, SpyCloud can still help you stay ahead of attacks that can disrupt your business. 

Scenario #3:

Your department uses a third-party contractor to help you with certain projects. Can you trust that the contractor has good security hygiene?

Ideally, yes, but again, not necessarily. Many organizations use contractors for an array of activities such as web development, maintaining a 24/7 business, and finding a bigger talent pool. It is very common for third parties to not have the same security standards in place and therefore end up being the source of a breach. In fact, a Ponemon 2022 Study found that less than 40% of responders are confident that their external vendors would notify them in the event of a security incident.

Recent SpyCloud research for an organization that thought they had strong security measures in place uncovered a malware-infected device being used by a contractor located overseas. Without the ability to measure the efficacy of the controls of such vendors who access their systems, the customer would have had no insight into this threat. With Compass, organizations  gain visibility into this gap in ransomware prevention strategies and have actionable steps they can take to fully respond to the threat of malware infections, even those from third-party contractors.

Post-Infection Remediation: The New Paradigm for Preventing Ransomware

These types of scenarios can have serious repercussions long after a device has been cleaned or reimaged. Without addressing the stolen information siphoned by malware, cybercriminals have easy and hard-to-detect access to your network using the fresh data from infostealers. By implementing Post-Infection Remediation, you can now mitigate your organization’s risk from exposures by moving away from a machine-centric process and rather taking a new identity-centric approach to incident response.

Many organizations have implemented multiple tools like endpoint detection and application security monitoring to help fill some of their security gaps. However, the problem is that these tools often provide limited protection and are static in scalability to meet the growing demand for data protection and malware continues to become more sophisticated. For example, there is infostealer malware that installs, siphons data, and uninstalls in five to 10 seconds, leaving no forensic evidence of the infection.

We’ve found that most organizations are remediating malware as best as they can, but their process is antiquated and incomplete, only focusing on the physical machine. Enterprises need to augment existing incident response protocols to be more inclusive of the total potential attack surface.

Compass goes beyond infected devices and gives much needed visibility into the users and applications that are exposed by a malware infection. Providing these details helps SOCs and security teams visualize the scope of the threat at a glance, reduces the time spent investigating the incident, and allows them to quickly remediate the malware infection. As a result, the attack window closes faster and stops cybercriminals from instigating a full-blown security incident, such as a ransomware attack by using the data they stole from the infected device. It’s all about discovering the malware infection, understanding the impact of it, and efficiently remediating it without over burdening existing resources so you can prevent future attacks.

Learn how to navigate Post-Infection Remediation and prevent ransomware attacks with SpyCloud Compass.
Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

[JUST RELEASED] 2023 Ransomware Defense Report highlights infostealers as precursors to future attacks. Download Now

X