Connect with us

Hi, what are you looking for?


Incident Response

Your Organization Has Just Been Attacked by Malware – Now What?

Effective Malware Response Requires Visibility and Control Across the Entire IT Environment and Along the Full Threat Lifecycle.

In this business we must ask ourselves every day, “Are we prepared in the event of a malware attack?” Many believe the answer is “No.”

Effective Malware Response Requires Visibility and Control Across the Entire IT Environment and Along the Full Threat Lifecycle.

In this business we must ask ourselves every day, “Are we prepared in the event of a malware attack?” Many believe the answer is “No.”

According to ESG Research’s U.S. Advanced Persistent Threat Analysis, November 2011, 77 percent of enterprise organizations will increase security spending in response to advanced malware and targeted attacks like Advanced Persistent Threats (APTs). These sophisticated threats can take any organization by surprise. Even the best laid security and incident response plans tend to be based on an outdated picture of the threat landscape and singularly-focused defenses.

Malware Incident ResponseTargeted and cunning, advanced malware compromises environments from an array of attack vectors, takes endless form factors, launches attacks over time and can obfuscate the exfiltration of data. While detection and protection technologies have evolved and demonstrate significant improvements over traditional methods, breaches abound. Promises of a ‘silver bullet’ solution to a multi-faceted problem can leave security and response teams blind to key information necessary to respond to a targeted attack and a focused and determined attacker.

Modern threats demand a modern response strategy along the full threat lifecycle. Let’s take a closer look at key considerations for updating your security and incident response strategy with the objective of gaining visibility and control of advanced malware for better protection.

Related Resource: Download the Advanced Malware Survival Kit

Shoring Up Defenses: Any advanced malware response strategy must start with detection and blocking. In order to have effective detection and blocking, without a lot of “noise,” you need a baseline of information about what’s on your network in order to defend it – devices, operating systems, services, applications, users, content and potential vulnerabilities. Malware detection, the ability to identify files as malware at the point of entry and remediate accordingly, combined with implementing access control over applications and users, is also important. Not only do these measures help you to take steps to reduce the surface area of attack, but with the right informational context, detection may also indicate that your organization is in the bull’s-eye of a targeted attack. Unfortunately, this first line of defense is where many security and response strategies begin and end.

What’s needed is the ability to roll back time against would-be attackers and understand the context of a detection within a broader community of malware and whether it is widely distributed or unique, and meant specifically for you. Retrospective detection is a means to continuously look back and compare any program against the latest threat intelligence for detection, effectively eliminating a key dimension of attack – time. A lattice of detection technologies that collectively work together, leveraging context from each other to improve detection at the point of entry and retrospectively on the network and host systems, is essential when updating your response strategy.

Advertisement. Scroll to continue reading.

Identifying the Target(s): Still, the best threat detection and blocking only goes so far. When an attack does happen you need to be able to identify ‘Patient Zero’, the malware origination point. From there, visibility to identify affected systems, the application that introduced the malware, the files that are causing it to spread and which systems are affected enables you to address the infection at the root and avoid re-infection.

The ability to understand how the malware is communicating within and outside the network, system to system, application to application and out to Command and Control servers and other malicious sites provides even more insight to identify origination points, control affected systems and stop reinfection. When you’re under siege, finding affected systems quickly is the key to breaking the malware lifecycle.

Enemy Reconnaissance: When an attacker successfully circumvents traditional security technologies, your incident response plan kicks in. At that point, chances are you’re in firefighter mode without the time, nor a PhD in forensics, to delve into volumes of data and sophisticated analytics. Use of Big Data analytics to identify fundamental behavioral characteristics of the malware will help you to quickly understand the threat. Visibility into how the malware affects other files it has either interacted with or dropped on the system is also essential.

And the old adage “one bad apple can spoil the bunch” applies here. Understanding system to system relationships is critically important. Has the malware already begun communicating with other systems? If so, then the attacker may have already established a foothold on other systems by leveraging escalated privileges gained on the original affected system. With this level of access, the attacker could leave the original infected system and permeate other systems, thus becoming invisible to traditional detection methods until the damage is done. Gaining deeper insight into the threat and its trajectory will help you defeat it.

Gaining the Upper Hand: With greater visibility and better protection, you can start to gain control and remediate. Detection and blocking combined with identifying affected systems ensures you start from a position of strength, eradicating the malware so you don’t lose ground. Updating protections based on the latest threat intelligence as well as constraining and eliminating attack vectors with application control enables you to further reduce risk. Understanding file behavior and its path can help you minimize the impact of an attack and recover.

You also need control over gray areas, and in the case of advanced malware there’s a lot of gray area between ‘known good’ and ‘known bad’ files. You need to be able to block suspicious files or continue to track and analyze them against real-time threat intelligence. If security data indicates that a suspicious or unknown file is actually malware, retrospective remediation enables you to remove it. But control can’t stop at the network. Network-based protection should work in lock-step with device protection to ensure a comprehensive response and remediation across the full lifecycle of threats.

Effective advanced malware response requires visibility and control across the entire IT environment and along the full threat lifecycle, to not only identify and stop the spread of malware but also minimize the risk of reinfection. With the ability to detect and eradicate malware quickly and effectively you can be confident your security and incident response strategy is up to today’s challenge.

Related Resource: Download the Advanced Malware Survival Kit

Related Reading: How to Affect the Threat Before it Enters Your Area of Operations

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...