Key Points for Effective Defense
Rapid Response Capability
Preauthorized Permissions: Ensure you have preapproval to act swiftly during a malware outbreak, including taking down networks or systems if necessary to contain the threat.
Risk Analysis: Use documented cases and news articles to demonstrate the risks and potential costs of malware incidents to organizational leadership, supporting the need for preapproved actions.
Evolving Threat Techniques
Syrian Electronic Army: Employing polymorphic Android malware for surveillance.
US CIA: Developing EFI malware like "Sonic Screwdriver" for Apple devices.
Russian Hackers: Creating LoJax UEFI malware that persists through OS reinstalls.
The job of defenders is increasingly challenging. Be prepared to make quick decisions in the face of imminent threats.
Defensive Strategies As per IR
Preparation
Buffer Overflow Defenses: Implement and configure non-executable stacks to prevent simple stack-based buffer overflow exploits.
Patch Management: Develop a process for rapidly identifying, testing, and deploying patches.
Application Whitelisting: Use tools like Software Restriction Policies or Applocker to allow only approved software to run.
Data Encryption: Encrypt data on hard drives to protect it in case of theft.
Tabletop Exercises: Conduct exercises to ensure the organization can respond swiftly and effectively to an attack.
Identification
Regular Antivirus Updates: Keep antivirus solutions up to date on desktops, mail servers, and file servers.
Containment
Incident Response: Integrate incident response capabilities with network management to enable real-time network segment isolation if necessary.
Eradication and Recovery
AV Tools: Use antivirus tools to remove infestations or rebuild systems if necessary.
Detailed Defensive Measures
System Hardening
Implementing non-executable stacks and host-based Intrusion Prevention Systems (IPS) can mitigate many buffer overflow exploits.
Thoroughly test security patches before deployment to ensure they do not disrupt critical applications.
Encryption
Use filesystem encryption tools to secure data on hard drives, ensuring that stolen data cannot be easily read without the encryption key.
Antivirus and Application Whitelisting
Regularly update antivirus solutions to catch known threats.
Employ application whitelisting to prevent unauthorized programs from running, reducing the risk of malware execution.
Incident Response and Network Management
Include network management personnel in the incident response team to enable swift action in isolating affected network segments during an outbreak.
By integrating these defensive strategies and maintaining a state of preparedness, organizations can effectively mitigate the risks posed by worms and bots and respond rapidly to emerging threats.
Comentarios