Online services like VirusTotal can be a very handy resource for checking the reputation and intent of malware.
Although advanced attackers can make inroads into your network by having malware leapfrog around until they find what they are looking for, common sense dictates going after the threats targeting more sensitive users and devices first.
In order to do this, you need to classify the devices, networks and users in your organizations based on the criticality of the information stored on a given device or system, or by the criticality of information users have access to. This is best done by:
- Maintaining a list of critical networks and subnets in your organization
- Maintaining a list of critical Active Directory groups based on the sensitivity of users e.g. finance, data center, executive staff etc.
Use an IP address management solution or similar appliance to maintain a real-time mapping of devices, IP addresses, networks and users. This information will be critical in determining the priority of a threat when you see a malware download or command & control alert.
The source of an infection is also an important indicator of maliciousness of malware. Think, who and where your biggest enemies are and if the source of the malware can be traced back to them. It will not be possible always to do so but when you can, it will immediately alert you to the severity of attack and help you with action prioritization.
The simplest way to find adversaries it to try and geo-locate them based on the download URL IP address and command & control traffic IP addresses. There are several Internet resources that can help you geo-locate IP addresses and also provide associated reputation data.
With less than 10% of malware downloads resulting in an infection, there is no reason to chase after malware download alerts that have not taken hold. Therefore, knowing where malware sits in kill-chain — e.g. number of downloads, number of infections and number of command-and-control callbacks — is a clear indicator of severity and can be extremely helpful in prioritizing remediation.
If you see a lot of downloads for a malware type but no command-and-control traffic, it is likely that the anti-virus software is able to catch it or all of your systems are patched appropriately and are not vulnerable to it. On the other hand, if you see a lot off command-and-control traffic for a specific infected device, it is likely the malware is exfiltrating information or causing other damage and must be contained as soon as possible.
Having a clear understanding of how to stop malware from further propagating and control the damage is critical to mitigating threats. Here are three fundamentals for threat mitigation:
- Identify and block the infection source: Once you have decided to take action, it is obvious that you use Firewall and/or Secure Web Gateway devices to block access to the URL that is hosting malware. If email is determined to be the source of malware, send out information to users to not open suspicious attachments.
- Identify and block the command and control traffic: Look at the firewall and web logs to determine the CnC IP addresses and block communications to/from these.
- Identify and clean the infected devices: This is the costliest and most painful mitigation action. Typically a device cleanup will require re-imaging a system, which is time consuming and also makes your employees unproductive as they lose access to their device during cleanup. Ensure your users take regular backups of their devices.
Sign up for Computerworld eNewsletters.