Handling Destructive Malware
Potential Distribution Vectors:
- Enterprise Applications
Protect the hosts and endpoints, such as- Patch management systems
- Asset management systems
- Remote Assistance software [corporate help desk, etc.]
- Antivirus software
- Systems assigned to Systems and Network Administrative Personnel
- Centralized Backup servers
- Centralized File Shares
- Centralized Storage Devices
- Direct access to Partitions
- Direct access to Data Warehouses
- Network Devices
- modifying the routing tables
- modifying the firmware or binaries
- isolate or degrade availability of critical network resources
Fixing it:
- Proper network segmentation
- Network-based ACL – communication flow paths should be fully defined, documented, and authorized
- Identify the gateways / pivots in the current system that can help with lateral movement within the enterprise – implement restrictive VLANs (virtual LAN)
- Add Layered access for Device-Levels to the Centralized Networks and Storage Devices Management interfaces using restrictive VLANs
- Enable multi-factor authentication
- Document and use unique Domain Accounts for each Enterprise application service
- Track and monitor activities related to the assigned domain / service accounts
- Restrict and deny access to network shares and critical data locations (where applicable)
- Never give elevated permissions to any service accounts that are beyond their Group-Level, etc. – change the service account altogether so that no policy exceptions/violations occur (when we are granting elevated permissions to service accounts beyond their known capabilities)
- Continuously review the centralized file share ACLs and assigned permissions
- Audit and review the server / service / security logs for failed attempts, file share access or remote session requests
- Review the Network flow data for sign of anomalies – look for unknown ports requesting connections, port scanning activities or enumeration, repeated connections on ports that can be used as C&C
- Ensure that all network devices, etc. log all configuration changes, etc. as well as the logging mechanisms are working 24/7, make sure that the authorization rules are intact throughout the enterprise environment
- Whenever deploying new updates / patches / AV signatures, etc. throughout the enterprise, always stage those updates to a limited, specific grouping of systems (for a pre-defined period of time to observe the deployment closely) – This will help to contain the scenarios where a supply chain attack happened by limiting it to certain systems only
- Keep monitoring and assessing the integrity of patches / updates / AV signature throughout the enterprise – receive updates from the trusted sources only, perform file and data integrity checks, monitor and audit the data throughout the enterprise to ensure its integrity
- Ensure robust vulnerability management and patches practices are in place
- Ensure that the underlying OS, softwares, etc. are hardened based on the industry-standards
- Implement application level security controls – user based ACL, do not give users permissions beyond their security groups configuration( for example, elevated permissions should be avoided), remove or disable unused packages and features, etc. , implement application level logging, monitoring and auditing
Recovery Plan:
- Classify and know the critical infrastructure and how to get it back online
- have the contact information for all essential personnel available at all times, including vendors, partners, etc. who are critical to this phase
- Have some baseline plans for the restoration mechanisms – for example, optical disc images (ISO), remote backups, etc. at hand
- Have a list of Checklists and Playbooks available for recovery plan at all times
- Ensure Data backup files (full / differential) being available to the baseline restoration plan above
- Have system security baseline and hardening checklists / guidelines updated and ready at all times
- Have the mechanism to perform system and application integrity tests and acceptance checklists in case such a recovery is required
Responding to the Incident:
- Focus on containment to reduce the surface area for the attacker
- Implement network ACL to contain the infected application by restricting its communication to the rest of the network – an organization’s internal DNS can be leveraged for this purpose as well by adding a NULL pointer record in such a case
- Disable the suspected users or service account(s)
- Disable file shares to avoid replication of malware
- Be ready to take stringent measures like resetting all passwords, etc. in the application and the surrounding network where the infection might leak to
- Report the incidence responsibly
[Atypical malware delivery mechanisms]
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-057a