Three phases of malware defense

Three phases of malware defense
(Image credit: / Nicescene)

The world of malware is a huge and evolving expanse. Ransomware tends to be one of the most popular forms of malware discussed, partly because it’s a type of malware that announces itself; most other malware actively tries to avoid detection. If you’ve focused efforts on defending against ransomware, have you also implemented defenses against malware NOT meant to be discovered?

Since ransomware has to make itself known in order for a ransom to be paid, detection is a given. For malware that needs to be stealthy, to avoid user interaction and persist as long as possible, it would make sense that organizations focus on their ability to detect malware. Defensive measures designed to prevent malware from getting onto your system in the first place are effective in both cases, however.

About the author

Tim Erlin, VP, product management and strategy at Tripwire.

Taking that into account, malware defense should span all three phases: prevention, detection and remediation. These are some of the top security controls within each area.

1. Prevention

Avoiding an incident completely is, of course, the ideal way to address malware, which is why we start with prevention. These are security controls such as network monitoring aimed at preventing initial malware infections, but also for preventing it from spreading should malware make it onto the system.

Secure Configuration Management: As part of a solid security foundation, managing secure configurations helps protect your assets from malware. Prevention starts with secure configurations, otherwise the door is left wide open for malware to get into your environment.

Vulnerability Management: Hand-in-hand with secure configuration management, vulnerability risk needs to be managed as a key defense. It’s common for malware to exploit some kind of vulnerability in order to get installed on a system.

Integrity Management: If you can effectively start with a secure environment, you’ll need to maintain the integrity of that environment. This requires detecting changes and evaluating how they impact security. Malware can be kept out, or at least kept from spreading, by maintaining integrity of the systems.

Privileged Identity Management: The misuse or misconfiguration of privileged accounts is a common mechanism for attackers to gain entry or expand their footprint in an environment. Attackers will often look for workstations or laptops running as admin for an easier path to install malware. 

Email Security: It’s also very common that phishing and other email-based attacks serve as the entry point for all different kinds of malware. While you may not be able to prevent 100% of malware coming in, neglecting email security will increase your chances of infection.

2. Detection

If malware gets in your environment, you want to detect it before it gains a foothold.

Anti-Malware Tools: Anti-malware tools may be the first to come to mind when thinking about detection. Off-the-shelf anti-malware tools can aid in detecting malicious software on the network or on a host, but none of them are perfect yet. Other fundamental security controls need to be considered to build up detection abilities.

Change Detection: Every incident starts with a change, including malware infections. Most of the time, malware has to make some kind of a change in the environment. The changes left in its wake can often be used to identify malware: new files on a system, changes in settings, changes to logging, etc. A good change detection system will also differentiate the suspicious changes from business-as-usual changes.

Log Management: Collecting and analyzing logs is another foundational security control that’s also key in identifying malware’s initial activity and the extent of an infection. Comprehensive log management provides important visibility into malicious activity.

Suspicious File Detonation: Suspicious files not caught by malware detection tools need to analyzed. Malware sandboxing tools can execute (or detonate) a file and analyze its behavior to indicate if the file is malicious, suspicious or benign. This is an advanced malware detection capability that can be bolted onto change detection and log management capabilities.

3. Remediation

Addressing malware might seem as simple as “removing malware,” but really the goal should be to return your environment to a trusted state. Otherwise your systems remain susceptible to another incident. 

Anti-Malware Tools: You can start with anti-malware tool to quarantine or remove malware.

Backups: Back-ups aren’t only for restoring data loss; restoring from a known-good backup is also necessary to restore trust. An environment that’s been compromised is no longer trustworthy, so you want to get back to a known-good state.

Configuration Management: If you can’t start over from back-up, you’ll need to rebuild to a trusted state. That requires defining what a trusted state looks like, which can be done by establishing and maintaining known-good baseline configuration. The baseline can serve as a guideline for rebuilding and configuring systems after an incident.

These security controls are best practice in general, but also specifically address how malware gets in and impacts your environment. Whether defending against stealthy malware for cryptojacking, or self-announced ransomware, a malware defense strategy should include all three phases of prevention, detection and remediation.

Tim Erlin

Tim Erlin is the VP of Product Management and Strategy at Tripwire. In his 12 year tenure at nCircle, prior to acquisition by Tripwire, he grew the vulnerability management business from a handful of customers to more than 5000, including global expansion. Erlin also managed nCircle's policy compliance and reporting products. Erlin's background as a Sales Engineer has provided a solid grounding in the realities of the market, allowing him to be an effective leader and product manager across a variety of products. His career in information technology began with project management, customer service, as well as systems and network administration. Erlin also contributes directly to the information security through press, blogging, podcasts and television.