Obviously, organizations want to do all they can to prevent malware attacks. But the odds are high that an organization will fall victim to a malware infection at some point in time. That’s why it’s critical to have an incident response plan, and to provide IT teams with the tools they need to quickly identify, analyze and remediate a malware attack.
According to the Verizon 2018 Data Breach Investigations Report, there were more than 53,000 security incidents and 2,216 confirmed data breaches in 2017. Thirty percent of those breaches included some form of malware. More than 92 percent of malware is distributed via email, which means that it takes just one user clicking a malicious link or opening a malicious attachment to cause an infection.
Most organizations have antimalware software running on endpoint devices. If malware is detected, IT will quarantine the endpoint and attempt to remove the malware or, in a worst-case scenario, reimage the device. All too often, the remediation efforts end there. However, removing the malware from the endpoint only treats one symptom of what could be a virulent disease, and offers no insight into how the disease may have been contracted in the first place.
Beyond Malware Removal
The mere presence of malware isn’t the threat — it’s the malicious activity that the malware enables. Depending on the nature of the attack, a malware infection can cripple an individual system, open a “backdoor” for exfiltrating data, or spread through the network causing downtime and data loss. IT teams need visibility into the actions that were taken before and after infection in order to formulate an appropriate response to the incident.
This involves analysis of both the infected machine and the malware itself. IT should look at any files that were downloaded to the machine, websites that were visited, any changes to the system registry and outbound connections to remote systems. The malware should be compared against behavioral indicators using static and dynamic analyses.
IT teams also need to analyze the techniques the hacker used to get past the organization’s defenses. For example, if the malware was triggered when the user clicked a malicious link in a phishing email, IT needs to understand how the email made it to the user’s inbox. If a hacker used stolen credentials to gain access to the device, it’s critical to determine if the hacker used brute force methods, obtained credentials stored in memory, or accessed a different endpoint and moved laterally through the network.
Gaining New Insight
Cisco’s Advanced Malware Protection (AMP) solution provides the tools IT needs to determine the origin and scope of compromise and to develop an incident response and remediation plan. Cisco AMP continuously monitors and analyzes file activity and communications for suspicious behavior. If a threat is detected, Cisco AMP alerts IT teams and provides detailed information on the systems that have been affected and the actions the malware has taken.
File trajectory features continually track the propagation of files across the environment, enabling IT to quickly quarantine infected systems and block the malware. Rather than reimaging entire systems — a costly, slow and disruptive process — IT can contain the infection in a surgical way.
The device trajectory features in Cisco AMP continually track activity at the system level so that IT can determine the root cause of an attack. File, system and telemetry events are automatically correlated, giving IT the contextual information needed to identify and prioritize coordinated attacks.
Simply removing malware from infected endpoints is not enough — IT needs visibility into how an attack entered the network and how far it has spread. Cisco AMP provides sophisticated tools that enable IT to quickly contain malware attacks before they cause further damage, and prevent similar threats from entering the network.
