Speaking at RSA Conference 2019 Austin Murphy, VP managed services, CrowdStrike, explored the ‘art of remediation’ for responding to cyber-threats.
Murphy used the example of Emotet, a threat that has proven to be both problematic and costly to remediate from.
“Emotet is a family of malware that has been very prolific over the summer specifically,” he said. “The reason Emotet has been so problematic is because of what it does after it infects an endpoint. It doesn’t simply infect one endpoint, it steals credentials and moves laterally, infecting other endpoints on your network.”
Remediating a threat such as Emotet is a significant challenge, Murphy added, and US CERT remediation advice currently available is often not a realistic option for a lot of organizations.
So why is it so hard to “clean up” Emotet? Murphy asked. It is because Emotet uses multiple worm-like exploitation techniques to spread, and it takes only one infected system to instantly re-infect an entire network.
It also creates “randomly named” binaries and is always updating. Therefore, organizations must master the ‘art of remediation’ to respond to a threat like Emotet.
So how do you master the art of remediation? It comes down to “rapid containment and eradication,” Murphy said.
The first step is to get a threat “in a headlock [containment],” he added, which involves:
- Identifying running processes
- Identifying persistence of mechanisms
- Identifying binaries and other files
- Understanding malware functionality
The next step in the art of remediation is drowning a threat “in a bathtub [eradication],” Murphy said, which requires:
- Terminating malicious processes
- Quarantining content from disk
- Removing persistence mechanisms
To conclude, Murphy advised using a focus on the four key elements of prevention, visibility, remote control and expertise.