In the first three quarters of 2022, over 62.29 million new types of malware were detected, with approximately 228,000 new threats emerging on a daily basis. While cybersecurity teams and executives are focused on mitigating ransomware attacks, a quiet precursor to these attacks, stealer malware, often goes undetected. This type of malware is notoriously difficult to identify and may remain in a company’s system for years before being discovered.
Stealer malware often goes unnoticed because it appears to have no immediate consequences. However, this type of malware is often the direct result of ransomware attacks as cybercriminals use the information they have siphoned from compromised devices to carry out an attack. Therefore, it is crucial for organizations to implement malware remediation strategies as part of their security protocol.
As enterprises deploy innovative solutions and tactics to prevent malware infections, companies with work-from-home policies and employees using BYOD or personal devices to access corporate applications often create new openings for malware attacks. The lack of indicators when a device is compromised makes it difficult to detect malware. If an employee accidentally clicks on an infected link, the malware will download, siphon data, and then uninstall itself, leaving little evidence of the infection.
Popular infostealers, like RedLine Stealer malware, are often deployed through phishing emails, links in social media comments, malvertising, or malicious YouTube “tutorials.” Being unaware of such threats means that employees are putting their organization at risk.
While traditional antivirus software offers protection against well-known types of malware, newer variations, such as Redline Stealer, Raccoon, or Vidar, are much more difficult to detect. Also, evolving botnet delivery methods that can evade detection, coupled with the fact that many malware infections occur outside of traditional, secure parameters, including remote and personal devices, makes it harder for companies to address the problem.
Another crucial aspect to consider is the ongoing threat of exposed data. Wiping known malware from an infected device is the most common remediation approach; however, it fails to address the already-siphoned information that may have fallen into the hands of Initial Access Brokers (IABs).
Individuals or groups packaging stolen data from malware and selling it on the dark web are known as IABs. Cybercriminals buy this freshly stolen data and use all the information needed for initial network access, easily bypassing security measures like multi-factor authentication (MFA) and deploying ransomware.
Data sold by IABs remains valuable as long as it is not reset. Credentials stolen in the 2019 Facebook breach are still active despite the breaches’ millions of data points being revealed years ago.
The increasing frequency of malware attacks illustrates the underlying factor driving the thriving underground economy that weaponizes and monetizes network access. To close the gaps that lead to initial malware infections and account for the fallout after a device has been compromised, enterprises need a much more comprehensive remediation process that accounts for darkweb activity and offers more visibility into often unknown and ephemeral malware infections.
The Post-Infection Remediation (PIR) approach is more comprehensive than legacy, machine-centric malware response processes. Where these methods emphasize device remediation and neglect to consider user identity, PIR takes a more identity-centric approach, considering the personally identifiable information (PII) at risk.
To put the approach into action, once the Security Operations Center (SOC) identifies an infected device, the IT team clears the infected device. Concurrently, enterprises use darkweb monitoring tools and human intelligence (HUMINT) teams for scanning the underground for stolen data. The solutions and teams find user data and trace it back to the initially compromised asset. SOCs use the information gathered to remediate all compromised credentials and applications affected by the attack. This can include resetting third-party workforce applications like Single Sign-On (SSO), code repositories, payroll systems, VPNs, and remote access portals. It ensures that all exposed data is reset to prevent possible ransomware.
Using PIR, IT teams have full visibility into the scope of the threat regardless of whether infected devices are being monitored, closing previously unseen security gaps significantly shortening the exposure window for ransomware and other critical threats.
While employee education is crucial, companies are preparing for the future by proactively mitigating the threat with a PIR approach. By taking an identity-centric approach, they are well equipped to protect against evolving malware practices.