FOUR REASONS NOT TO NUKE AN INFECTED MACHINEdocs.media.bitpipe.com/io_12x/io_121339/item... · In...

threattracksecurity.com ©2015 ThreatTrack, Inc. All rights reserved worldwide.

FOUR REASONS NOT TO NUKE AN INFECTED MACHINE

WHY REIMAGING IS NOT THE ONLY OPTION

In today’s world of Zero-day malware and advanced multi-stage threats, it sometimes seems like your motto has to be “take no chances.” In the area of endpoint security, this is sometimes translated into a policy: “wipe and reimage every PC that has been touched by malware.”

But reimaging is not the only option. This paper will discuss four reasons to reconsider this type of scorched earth policy, and alternatives to help you improve efficiency and costs while protecting against advanced threats.

INTRODUCTION

3

FOUR REASONS NOT TO NUKE AN INFECTED MACHINE: WHY REIMAGING IS NOT THE ONLY OPTION

Unfortunately, most enterprises feel they have no choice but to wipe and reimage all PCs that have been touched by malware, because that is perceived as the only way to guarantee that the PC is clean. They see no option but to treat reimaging as a draining but necessary cost of doing business.

But quarantining, wiping and reimaging is one of the most time-consuming, burdensome and thankless tasks faced by security and technical support groups. Not only does reimaging each computer take up a large chunk of the day, but employees who lose access to their systems are often frustrated, or even hostile. Somehow it is the fault of the IT team that the user surfed to an infected web site, or clicked on a phishing email.

Reimaging is a slow, tedious process that involves steps such as:

» Identifying infected computers

» “Quarantining” the infected computers by restricting network access

» Physically acquiring the infected machines

» Listening to employees explain how they don’t remember “clicking-opening-browsing” something malicious, how they “can’t lose their work,” and how they “haven’t done a backup in months”

» Downloading users’ backups and verifying their viability

» Locating and entering license keys for desktop applications

» Updating drivers and patches

» Customizing desktops for distressed employees

» Re-registering devices to access applications such as Salesforce

» Reminding users, yet again, to back-up their hard drives regularly, to avoid suspicious files and links, etc., etc., etc.

And in the end, the IT team is vilified because they wiped out some of the employee’s hard work.

REASON #1: REIMAGING IS PAINFUL

4


Wiping and reimaging computers is not only unfulfilling work, it is also very expensive. Some of the costs are obvious, while others are hidden from view. Significant costs may include:

» Direct labor costs, typically several hours per system, for sending technical support staff to wipe and reimage systems, reinstall software and help computer users restore computers to “the way they were before”

» Capital costs for spare workstations and laptops used as temporary replacements for machines while they are in quarantine or being reimaged

» Shipping costs to send infected and spare laptops back and forth to remote and mobile users

» Indirect costs of lost productivity for computer users because they:

- Have limited access to data and the network while their systems are in quarantine.

- Lose access to their computers during the wipe and reimaging process.

- Often spend hours reinstalling non-corporate applications, reloading data and resetting preferences.

The time users spend reconfiguring computers has grown significantly over the past few years. Even seemingly small details can take time. For example, the loss of browser cookies can force users to re-reregister devices with cloud-based applications. Engineers and knowledge workers with complex technical, engineering and analytics software packages may need to spend hours reconfiguring those applications.

And what about those employees who “haven’t done a backup in months”? It might cost hundreds of hours and thousands of dollars to recreate company and personal data lost when the hard drive is wiped.

REASON #2: REIMAGING IS COSTLY

5


The most damaging cybersecurity risks for most organizations today are not individual pieces of malware, but rather targeted campaigns and Advanced Persistent Threats (APTs) launched by sophisticated attackers. These campaigns involve multiple steps: performing reconnaissance to detect vulnerabilities, weaponizing software to exploit the vulnerabilities, delivering the weapon (most often to an employee PC or laptop), exploiting the vulnerability from inside the network, finding file shares and databases with confidential information, communicating with an outside server controlled by the attacker, and so forth. The more time attackers can spend on the network, the more confidential information they can find, and the more files they can exfiltrate to their servers.

Under these circumstances, the imperative need is to find and understand the footprint of these attacks as quickly as possible. Employee computers often provide essential clues. Wiping computers can therefore be

counterproductive. Wiping and reimaging eliminates malware on individual systems, but sometimes at the price of destroying evidence that could lead to uncovering an attack on a critical database, or file share, or on hundreds of other computers.

For example, analysis of an infected PC might show that a malware file created a listener on a certain port, or called out to a certain domain or IP address for command and control. Armed with this information, a security analyst or network administrator could monitor the network and scan other machines for the same network activity. This would identify other computers already infected with that malware strain. The same information might allow the security team to stop the attack by blocking communications with the command and control IP address.

REASON #3: REIMAGING DESTROYS INTELLIGENCE

6


Is it malware or MALWARE? Nobody wants dangerous malware to remain inside the organization. Clearly wiping and reimaging is a way to ensure that doesn’t happen. But not all vulnerabilities are “critical” or “important” — many are rated as “moderate” or “low.” Some malware is simply not very harmful in a given environment. In these cases the benefits of reimaging the computers are outweighed by the pain, cost and destruction of intelligence that the process entails.

Certain malware types may target specific operating systems, browsers or applications. If your organization doesn’t include that target software, then those pieces of malware pose no risk.

Some forms of malware are “non-persistent.” They remove themselves from the system after stealing passwords, probing the network, or taking other one-

time actions. In this situation, wiping and reimaging the system provides no security benefit at all. (Although other actions may be indicated: victims of a password stealer must be instructed to change all their passwords – banking, social media, as well as corporate – in order to prevent malicious use of these accounts.)

In many cases the effects of malware can be remediated without wiping and reimaging the entire system. For example, if it can be determined that a malware sample renames certain files, creates new files, and modifies certain registry entries, then these changes can be reversed by changing the file names back, deleting the new files, backing out the changes to the registry entries, and removing the malware itself. One tool that automates this process is described below.

REASON #4: NOT ALL MALWARE IS CREATED EQUAL

7


Sometimes it really is necessary to wipe and reimage computers infected by malware. But the right information can show when far less costly and difficult alternatives are appropriate.

It is impractical for most security teams to obtain this information by themselves. They are not equipped with the resources and tools to perform the required analysis on the malware coming through their systems. But a solution is now available that provides the information to make the right decision about whether or not to wipe and reimage. It also automates the remediation process for those cases where wiping and reimaging are not necessary.

ALTERNATIVES TO REIMAGING

“Remediation is the next logical step – with the detection piece having all the details necessary to remove advanced malware, it is highly inefficient to depend on the security analyst or engineer to perform automated remediation. Companies investing in advanced malware detection have been asking for products that also remove the threats...” Adrian Sanabria, Senior Security Analyst, 451 Research

8


ThreatTrack Security is the first company to offer an on-demand malware analysis and remediation solution. That solution:

» Provides a fast and easy way to submit malware samples for expert analysis

» Delivers detailed information on the characteristics and behaviors of submitted malware samples, so that security and technical support staff can make informed decisions about the best alternative for remediating infected systems

» Provides a custom “remediation package” that reverses the actions of the malware sample on endpoints

This on-demand malware analysis and remediation solution is included as one part of the ThreatSecure

Email offering, which includes a number of advanced malware detection and analysis tools for security and incident response teams.

ThreatSecure Email utilizes a standalone email monitoring appliance and ThreatTrack’s proprietary cloud-based malware analysis and research platform as illustrated in Figure 1. Here we will provide a very brief overview of ThreatSecure’s features for detecting malware and identifying active APT campaigns, and then discuss in more detail its on-demand malware analysis and remediation capabilities.

APT Protection - ThreatSecure Email

9


MALWARERESEARCH & ANALYSIS

MALWAREINFECTION ANALYSIS

ENTERPRISESYSTEMS

MANAGEMENT

EMAIL SERVER

ENTERPRISENETWORK

QUARANTINE

DROP

MALWARE ANALYSISWITH REMEDITATION

PACKAGE

Figure 1: The ThreatSecure Appliance and ThreatNet cloud-based service detect threats in emails and attachments, and allows organizations to submit malware samples for analysis and the creation of custom remediation packages. The analysis allows analysts to select the right alternative for remediating endpoints. The remediation packages provide an option to automatically reverse the action of the malware on endpoints.

10


ThreatSecure utilizes “preemptive analytics,” a holistic approach to threat detection that looks beyond point-in-time events to illuminate the patterns, trends and other security data necessary to identify and evaluate advanced threats. It allows security and incident response analysts to correlate and analyze meaningful threat data interactively, in real time, rather than retrospectively.

Detecting known and unknown malwareThe ThreatSecure appliance first uses static analysis to find “known bad” URLs in email text and known malware in email attachments. It identifies URLs associated with botnets, spammers, cybercriminals, and hackers, and detects viruses, Trojans, keyloggers and other malware.

File attachments that pass static analysis are subjected to a unique form of behavioral analysis. Malware samples are run through a multi-dimensional behavioral analysis and discovery process that models malicious behaviors for each file type (DOC, PDF, JPG, EXE, etc.). Machine learning is used to create a mathematical picture of

characteristics of benign files and of malicious files of each type. Those behavioral models are then used to detect unknown malware, without using signatures, with far fewer false negatives and false positives than most malware detection tools.

Identifying active APT campaignsThreatSecure also provides a dashboard and analysis tools to help security and incident response teams “connect the right dots” and quickly find key events that are meaningful for identifying complex multi-step attacks. Analysts not only obtain real-time data to detect active APT campaigns, they also get a mechanism to make rapid decisions on dropping, quarantining or passing on email messages and attachments.

At the end of this process, analysts can pull up a “Threat Details” screen with information about the malware file, including how often the file has been seen in the organization, a risk score based on malicious actions taken by the file, and data about the source and targets of emails containing the malware.

ON-DEMAND MALWARE ANALYSIS AND REMEDIATION: HOW IT WORKS

11


On-demand malware analysis and remediationThis is the point where the on-demand malware analysis and remediation service comes into play. Analysts can click on the “Submit for Analysis” button in the upper right corner of the Threat Details screen, shown in Figure 2. This causes the malware sample to be submitted to the malware analysis and remediation service in the cloud-based ThreatNet platform.

The cloud service uses dynamic analysis and the experience of ThreatTrack Security’s cybersecurity experts to:

» Determine the sophistication and severity of the malware sample

» Document the actions it takes, such as adding, modifying and deleting files, folders and registry entries

» Compile information on the sources and history of the malware

» Build a custom remediation package that can reverse changes made by the malware on Windows computers

The service then sends back to the enterprise detailed analysis of the malware, together with the remediation

package.

Deciding on the best alternative to wipe and reimageThe detailed analysis report, illustrated in Figure 3, gives security and technical support analysts the information they need to decide if a less costly and difficult alternative is appropriate to use instead of wiping and reimaging computers affected by that malware.

Information presented in the analysis includes:

» A list of the high, medium and low risk actions taken by the malware when tested in a “sandbox” enviroment

» A list of all files opened, modified and deleted

» A list of all registry settings enumerated, written and deleted

» A list of all processes called by the malware

» A list of all network activities

» Screen shots displayed to users

12


The information in this analysis allows analysts to make the appropriate decision about how to remediate the malware. For example:

» If the malware is non-persistant and removes itself from systems, then blacklist the malware on internal threat detection tools but leave the systems alone

» If the actions of the malware on infected systems is predictable and doesn’t threaten corporate data or resources, then remove the malware from the systems but don’t wipe and reimage

» If the actions of the malware on endpoints can be reversed, then use the remediation package provided by ThreatSecure (described below)

Customized Remediation SolutionsThe custom remediation packages delivered by ThreatSecure are executable files that can be deployed on Windows computers regardless of the antivirus programs in place. The packages are engineered to reverse the actions of the malware and remove the malware itself, including sophisticated rootkits. The process is automated, and requires no involvement by end users.

While automated remediation cannot be applied with every malware type, in the majority of cases it provides a way to remove malware that is far simpler and faster than alternative remediation methods.

Additional Benefits for SecurityThe analysis provided by the on-demand service can enhance security in other ways. File hashes, network listeners, and registry changes are some of the details that can be provided as part of the analysis that help make it easier and faster to find related malware. For example, once a new malware file is identified and its behavior is analyzed, the security team can scan the network for other samples.

Similarly, if a malware file is shown to open a specific port to communicate with other malware on the network or a server outside of the network, then the security team can scan for processes that use that port and locate other malware that is part of the same APT campaign.

Obtaining the detailed malware analysis from ThreatTrack also frees up the computer incident and response (CIRT) team to perform other tasks, in effect reducing the cost of cleaning up the malware.

Quarantining, wiping and reimaging computers is an extremely tedious and expensive way to deal with malware infections. It represents a major burden on security and technical support staffs, depresses the productivity of computer users who have to suffer through quarantines and lose access to their systems, and is a source of frustration for all concerned.

Wiping and reimaging can also be counterproductive if it destroys intelligence that can be used to detect advanced attacks. Forensic evidence on an infected computer can often provide the key to detecting the most dangerous types of APTs.

With the right information, organizations can look at wiping and reimaging as a last resort rather than a default. With ThreatSecure’s on-demand malware

analysis and remediation service, security and support analysts can submit malware samples with a single click and receive detailed reports on the characteristics and malicious behaviors of their samples. This information allows them to determine the most appropriate and cost-effective course of action, which often will be removing the malware from infected system or applying automated remediation.

Information in the reports can also include critical indicators alerting analysts to the existence of targeted campaigns and providing insight into the methods of the attackers.

SUMMARY

The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. ThreatTrack Security, Inc. is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, ThreatTrack Security, Inc. makes no claim, promise or guarantee about the completeness, accuracy, relevancy or adequacy of information and is not responsible for misprints, out-of-date information, or errors. ThreatTrack Security, Inc. makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. All products mentioned are trademarks or registered trademarks of their respective companies.


ThreatSecure’s on-demand malware analysis and remediation service also provides a custom remediation package that can be deployed to Windows computers, without involvement by computer users, to reverse the actions of malware on those endpoints.

By making the right choices for remediating infected computers, organizations can:

» Reduce the number of systems being wiped and reimaged, freeing up security and technical support staff for more valuable activities.

» Decrease the time and effort required to discover related malware on the network.

» Protect user productivity (and patience) by remediating infected systems without losing work time.

» Reduce vulnerabilities, by providing information on the behavior of malware files.

About ThreatTrack SecurityThreatTrack Security specializes in helping organizations identify and stop Advanced Persistent Threats (APTs), targeted attacks and other sophisticated malware designed to evade the traditional cyber defenses deployed by enterprises and government agencies around the world. With more than 300 employees worldwide and backed by Insight Venture Partners and Bessemer Venture Partners, the company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection.

NEXT STEPS

To learn more about ThreatTrack Security call +1-855-885-5566 or visit www.ThreatTrackSecurity.com.

FOUR REASONS NOT TO NUKE AN INFECTED MACHINEdocs.media.bitpipe.com/io_12x/io_121339/item... · In...

Documents

Transcript of FOUR REASONS NOT TO NUKE AN INFECTED MACHINEdocs.media.bitpipe.com/io_12x/io_121339/item... · In...