A prospect said a funny thing today, that they have hundreds of people testing malware for them on their network…
The context of the conversation revolved around security operations and who is testing malware beyond making sure a signature is rolled out and/or updated when they have a malware incident? Of course the humor is that all users within the network are testing malware on production hosts 🙁 Not so funny if you’re left cleaning it up or – worse – if your IT department isn’t part of your security operations or tightly governed. Even in organizations where governance is pretty solid, which is normally a larger organization, disparate groups tend to struggle with who owns the problem of the entire incident instead of their cog in the wheel.
e.g. A malware infection that installs a Trojan is discovered on a host. Signatures are updated and rolled across the organization. Check – threat neutralized. NOT…unfortunately without going deeper we don’t know anything about that threat, what it may have exfiltrated (sensitive data, passwords, keys, etc). We also don’t know if it is commonly associated with other payloads or variants, indicators of compromise, and more. Often, with anti-virus best practices employed ONLY, you are left blind to the entire context of threat identification and mitigation, having only played whack-a-mole with the one known threat. Countless times I’ve helped organizations locate IOCs, and campaign related IOCs to broaden the context, to help them identify other nodes of infection that they did not know existed. With context the threat of the unknown can be revealed. Dridex is a good example of this, where you may be aware of perhaps a lure file and hash, and a payload and hash, and possibly a downloader URL and C&C address. When you look at the larger campaign you can often obtain dozens of important IOCs that are timely and relevant, well beyond the IOCs for the individual sample intercepted.
When you suffer a malware intrusion what would you rather have, a half dozen indicators or dozens of indicators? All in favor of more eyes and ears for your network raise your virtual hands now! Ok, you’re bought in but now comes the application based question. How can you afford the time and resources, and skilled staff, to generate such IOCs? How will investing in staff, their training, or 4D5A Security incident response support, lower your total risk exposure? How can you make sure you are minimize impact when you do have an infection? It starts with knowing your crown jewels, smart governance, and priorities in how you handle malware. Personally when I see a nation-state espionage based attack against my network that takes a much higher priority over Anonymous or a SKID attacking my network. Yes – I do see all of those regularly, but espionage ranks at the top of my list of priorities. That means I handle it first, the fastest, and the most in-depth compared to other types of threats. If I run into a simple adware I will likely handle it very differently, in terms of governance, time, and resources, compared to that of an espionage threat.
Need help with your incident response? Put 4D5A Security on retainer now so that the lines of communicate are open, NDA’s in place, so that when a crisis hits you’re ready. We provide a very affordable annual retainer service to meet your emergency preparedness and legal/regulatory requirements. Contact us to learn more about 4D5A Security 24×7 incident response retainer services.