Malware 101: Detection and remediation

It is a universal truth in cybersecurity that an attacker that is determined and sophisticated enough will almost always find a way to achieve their goal. No security solution can catch everything, and even with a robust, layered approach incorporating many solutions there is always some point of failure that can be leveraged. Further, the cost versus benefit trade-off will begin to decline significantly at a certain point.

Take VirusTotal as an example: The majority of common malware will get detected by at least half of the antivirus solutions on the platform (the number of detections generally increasing the longer the malware sample has been in the wild). However, more sophisticated samples might only be detected by one or two solutions early on, and this is not necessarily indicative of the quality of the solution but rather that they happened to come across and analyze the sample earlier than others. Not only is it not very cost-effective to buy licenses for more than 40 antivirus solutions for every machine on your network, the combined system requirements on a standard computer would likely make it impossible to do anything because the security software would be taking up all available resources.

You could buy every preventative security product on the planet, but eventually something will get through. This was a major factor in why Barracuda acquired SKOUT (which is now our XDR offering) — because this type of solution can detect and remediate threats that successfully gain initial access into a customer's network. Layered protection is more about having the right layers than simply the quantity of layers (again, think back to the VirusTotal example).

Detecting malware that gets through defenses

Malware getting past security measures isn't necessarily endgame for defense. Depending on the objective(s), the malware needs an appropriate amount of time to achieve the attacker's goals, or in some cases such as persistent malware there is no specific end to when the malware has completed these goals and will cease to cause more harm. This presents an opportunity for detecting malicious behaviors as they are happening on a system or network to mitigate the amount of harm the malware can accomplish.

Any malware that exfiltrates data — which includes numerous ransomware variants these days — creates a signal that can be detected (i.e., the data being transferred). The ability to spot these signals and react quickly can have a huge impact on the amount of damage malware can cause. While there will still be some exposure, the amount of exposure can be reduced. An attacker exfiltrating 10% of a particular data store is a far better outcome than 100% of the data. Further, in the case of ransomware that exfiltrates data, this might also reduce the number of files that end up encrypted. In addition to signals on the network, malware will also create signals on the infected system such as changes made and potentially even errors that may end up in the logs. These signals are the most effective way to identify that an attack is occurring.

Steps to remediating malware

Whether a threat is detected and stopped or successfully completes its objectives, there will be remediation required, and it will be specific to the incident and extent of the damage caused. Malware will need to be removed from any systems that it touched, which again depends on the specifics of the incident as some malware is easier to remediate than others. Data backups may play in important role here, not only in the case of ransomware. It may be necessary or perhaps just easier to reimage or possibly replace the infected system(s) to ensure no remnants of the malware remain.

If those systems held critical data that was backed up already, getting the data back onto the systems will be far easier and safer. Even if the data was intact, trying to back it up somewhere after the fact will risk that some remnants of the malware attack end up back on the system. In the case of ransomware, data backups may be the only way to recover the data aside from paying the ransom — which is not recommended for several reasons, including the risk that paying the ransom might not end up resulting in recovering the data.

Malware can make a wide variety of changes to the systems it infects, such as changing or deleting registry keys on Windows, altering existing system files, adding or removing entries to the startup scripts, exposing ports, and disabling existing security on the system. When reimaging the system is not chosen, these changes must be reversed to fully recover the system in addition to deleting the malware files themselves. Understanding what changes were made is key here and often can depend on the particular malware variant because it will generally behave similarly across attacks.

Given the multitude of system changes that may occur as a result of malware, it's easy to see why reimaging the system is often the easiest option, or replacing it entirely in cases where malware may have infected firmware, rather than simply making changes on the disk(s). Even with signature-based scanning, and especially with solutions that upload files for remote analysis, there may be a delay between the malware first touching a system and it being detected. Malware that is successfully quarantined by security software might also have changed the system, so it should be verified that it didn't have a chance to make any system changes before assuming the system is clean.

Layered defenses

Defending against malware is multifaceted, as it is with any other attack type. Malware can compose all or the majority of an attack, or it can be paired with other attack techniques. While many aspects of defense have been covered, this is by no means an exhaustive list of every type of defense available.

Every organization should consider its defense layers based on factors such as risk, budget, how much time is or can be devoted to security efforts, the number of personnel that actively take part in security, and other factors to find what will best defend against attacks within these constraints. Hopefully this series has provided a look into the various malware threats out there and potential ways to defend against them to aid in these decisions.

You can read the rest of the Malware 101 series here.