The default state for most infosec practitioners is to assume compromise. Malicious actors are continuously searching for vulnerabilities to exploit, creating new malware types, and testing them against network defenses. This developmental process occurs at an alarming rate; the number of new, identified malware variants jumped from 150,000 in 2019 to 270,000 in 2020. This precipitous rate of growth means compromise isn’t just possible for any network, it’s inevitable.
As a consequence, security teams must use malware mitigation strategies in addition to their prevention tactics. These strategies reduce the impact of a compromise once it takes place, ensuring that key data and systems are protected. From kill switches to microsegmentation, this article covers the three most important malware mitigation techniques network security professionals should know.
For more on ensuring your network security, check out our guide, Malware Protection: Everything IT Pros Need to Know.
Jump to a section…
The Top Three Malware Mitigation Techniques
Implement Edge Microsegmentation
Start Implementing Microsegmentation Today
The Top Three Malware Mitigation Techniques
When network security teams discover malware, they need to act quickly to prevent the attack from causing irreversible damage. To ensure they can execute on this mandate, the team should deploy one or more of the following malware mitigation techniques.
Deploy Kill Switches
A kill switch is a mechanism that shuts off a network’s internet connectivity — and sometimes shuts down operations or deletes data. Kill switches can be used both by a cyber attacker and the cyber security team. As a consequence, cyber security teams can help mitigate the damage caused by a malware attack by proactively creating and deploying their own kill switches in case of an attack and finding and removing the attacker’s kill switch during IR procedures. Here is how each of these tasks can be accomplished.
- Create and deploy a defensive kill switch: A good defensive kill switch’s primary job is to disable the malware’s internet connection so that propagation and lateral movement is terminated. Defensive kill switches impact network operations, so it is advisable to understand all of the downstream side-effects a loss of connectivity will cause before activating the kill switch. Although this may interrupt some business processes, the opportunity cost is much higher from not doing anything and having the malware spread deeper into the network.
- Find and remove attacker kill switches: Malicious actors use kill switches to cover their tracks. They build a mechanism into the malware that, once activated, can cut off outside communication, delete evidence of tampering, and shut down the system. If deployed, the kill switch can cause massive disruption to the organization under attack — and may prevent the security team’s ability to discover the culprit. Early detection is critical to minimizing the damage malware kill switches can cause, so use the latest intrusion detection systems (IDS) and malware detection tools to give your team the time they need to find the threat.
- Back up important data: If a malware attack does spread across your network, it will often cause extensive destruction or degradation of sensitive company data. To mitigate this damage, make sure to continually back up important digital assets. This should cover any essential data, systems, and applications.
Prevent Lateral Movement
Lateral movement occurs post-compromise when malicious actors explore the network by moving from system to system within a network to solidify their foothold and achieve their attack objective. This tactic has been deployed in several noteworthy cyberattacks, including WannaCry and NotPetya. Given the tactic’s popularity and efficacy, security teams should consider deploying the following strategies to prevent lateral movement:
- Isolate vulnerable systems: Legacy devices and applications pose a huge security risk to organizations. If not properly handled, it can give attackers an open door into company data, processes, and more. To keep an attack from spreading into your legacy systems, isolate any tech that cannot be patched from the rest of the network.
- Restrict network communications: If you want to prevent the spread of malware, you need to reduce the channels by which the infection can travel. Go through the entire list of network communication types — application to application, device to device, or network to network — and cut anything that isn’t absolutely essential, especially direct internet exposure.
- Deploy context-based access controls: Another means of reducing the risk of spread is the use of context-based access controls. This approach grants system access dynamically based on an analysis of the conditions of the request, like whether or not it matches historical patterns. The use of such a technique significantly increases the likelihood that only authorized individuals can access sensitive data and network controls.
Implement Edge Microsegmentation
One of the best malware mitigation strategies is microsegmention. Microsegmentation breaks an organization’s network environment into multiple smaller, isolated networks — sometimes down to the endpoint. This approach dramatically reduces the network’s attack surface and increases the defensibility of each microsegment, thereby significantly raising the security profile of the network as a whole.
If a malware attack is able to compromise an individual microsegment, that success — unlike with networks that rely solely on traditional perimeter security — does little to threaten the integrity of the rest of the network. Microsegmentation restricts the communication between microsegments through whitelisting devices and least privilege access controls, making lateral movement difficult or impossible. In addition, microsegmentation also allows for the security team to exercise control at a distance, enabling them to contain, control, and remediate an attack as soon as a breach occurs.
Start Implementing Microsegmentation Today
Microsegmentation is one of the most effective malware mitigation strategies implemented today. If you are not currently using this technique, consider working with an experienced partner to help you implement this powerful approach to network security.
Byos has created the first microsegmentation solution for high assurance use cases: the Byos µGateway. The µGateway uses edge microsegmentation and hardware-enforced isolation to optimize your ability to detect, contain, and eliminate threats after a breach occurs. With features like lateral movement prevention and a ransomware killswitch, the µGateway is a comprehensive malware mitigation solution that will help you stop an attack in its tracks. Ready to learn more? Get in touch with us here.