Blog Details

RoiGap > Blog > Enterprise Architecture > Handling Destructive Malware

Handling Destructive Malware

Potential Distribution Vectors:

  1. Enterprise Applications
    Protect the hosts and endpoints, such as
    • Patch management systems
    • Asset management systems
    • Remote Assistance software [corporate help desk, etc.]
    • Antivirus software
    • Systems assigned to Systems and Network Administrative Personnel
    • Centralized Backup servers
    • Centralized File Shares
  2. Centralized Storage Devices
    • Direct access to Partitions
    • Direct access to Data Warehouses
  3. Network Devices
    • modifying the routing tables
    • modifying the firmware or binaries
    • isolate or degrade availability of critical network resources

Fixing it:

  1. Proper network segmentation
  2. Network-based ACL – communication flow paths should be fully defined, documented, and authorized
  3. Identify the gateways / pivots in the current system that can help with lateral movement within the enterprise – implement restrictive VLANs (virtual LAN)
  4. Add Layered access for Device-Levels to the Centralized Networks and Storage Devices Management interfaces using restrictive VLANs
  5. Enable multi-factor authentication
  6. Document and use unique Domain Accounts for each Enterprise application service
  7. Track and monitor activities related to the assigned domain / service accounts
  8. Restrict and deny access to network shares and critical data locations (where applicable)
  9. Never give elevated permissions to any service accounts that are beyond their Group-Level, etc. – change the service account altogether so that no policy exceptions/violations occur (when we are granting elevated permissions to service accounts beyond their known capabilities)
  10. Continuously review the centralized file share ACLs and assigned permissions
  11. Audit and review the server / service / security logs for failed attempts, file share access or remote session requests
  12. Review the Network flow data for sign of anomalies – look for unknown ports requesting connections, port scanning activities or enumeration, repeated connections on ports that can be used as C&C
  13. Ensure that all network devices, etc. log all configuration changes, etc. as well as the logging mechanisms are working 24/7, make sure that the authorization rules are intact throughout the enterprise environment
  14. Whenever deploying new updates / patches / AV signatures, etc. throughout the enterprise, always stage those updates to a limited, specific grouping of systems (for a pre-defined period of time to observe the deployment closely) – This will help to contain the scenarios where a supply chain attack happened by limiting it to certain systems only
  15. Keep monitoring and assessing the integrity of patches / updates / AV signature throughout the enterprise – receive updates from the trusted sources only, perform file and data integrity checks, monitor and audit the data throughout the enterprise to ensure its integrity
  16. Ensure robust vulnerability management and patches practices are in place
  17. Ensure that the underlying OS, softwares, etc. are hardened based on the industry-standards
  18. Implement application level security controls – user based ACL, do not give users permissions beyond their security groups configuration( for example, elevated permissions should be avoided), remove or disable unused packages and features, etc. , implement application level logging, monitoring and auditing

Recovery Plan:

  1. Classify and know the critical infrastructure and how to get it back online
  2. have the contact information for all essential personnel available at all times, including vendors, partners, etc. who are critical to this phase
  3. Have some baseline plans for the restoration mechanisms – for example, optical disc images (ISO), remote backups, etc. at hand
  4. Have a list of Checklists and Playbooks available for recovery plan at all times
  5. Ensure Data backup files (full / differential) being available to the baseline restoration plan above
  6. Have system security baseline and hardening checklists / guidelines updated and ready at all times
  7. Have the mechanism to perform system and application integrity tests and acceptance checklists in case such a recovery is required

Responding to the Incident:

  1. Focus on containment to reduce the surface area for the attacker
  2. Implement network ACL to contain the infected application by restricting its communication to the rest of the network – an organization’s internal DNS can be leveraged for this purpose as well by adding a NULL pointer record in such a case
  3. Disable the suspected users or service account(s)
  4. Disable file shares to avoid replication of malware
  5. Be ready to take stringent measures like resetting all passwords, etc. in the application and the surrounding network where the infection might leak to
  6. Report the incidence responsibly

[Atypical malware delivery mechanisms]

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-057a