Executive View

Malwarebytes Nebula and Incident Response

Organizations and individuals are constantly under threat by malware. Malware variants evolve and proliferate daily, making it increasingly difficult to prevent infections, compromises, and consequences such as data leakage and damage. While Endpoint Protection (EPP) solutions are primarily designed to prevent malware infection, Endpoint Detection & Response (EDR) solutions are intended to discover and remediate compromises by malware. Both kinds of products are necessary security infrastructure in today's business reality. Malwarebytes Nebula is their EPDR offering, and Malwarebytes Incident Response adds granular remediation capabilities. Malwarebytes Incident Response (IR) Proprietary Linking Engine technology scans networked endpoints to root out and destroy the malware already downloaded and activated on a system. IR may be deployed as a standalone and easily integrated into existing infrastructure.

John Tolbert

jt@kuppingercole.com

1 Introduction

Malware is and will likely continue to be a top threat and thus a top concern among business and IT security professionals. It comes in many forms: viruses, worms, rootkits, botnets, file-less malware, ransomware, and crypto-miners are prevalent in the wild. Malware is usually, and almost by definition, an exploitation of an operating system or an application vulnerability.

Ransomware attacks are still popular and evolving. Ransomware is a form of malware that may encrypt users' data, demanding that ransom be paid for the return of control or for decryption keys. The newest forms of ransomware are deployed similarly to an APT campaign, with staging of ransomware on various machines throughout an enterprise and exfiltration of data prior to ransomware detonation. Needless to say, paying the ransom only emboldens the perpetrators and perpetuates the ransomware problem.

Moreover, in many cases the ransomware operators do not provide working decryption keys, so paying the ransom is purely a waste of money. Over the last couple of years, some attackers have used ransomware techniques and payloads for purely destructive purposes too – rather than asking for ransom, these destructive "wiper" ransomware types simply delete or zero out data. Other ransomware operators exfiltrate data and threaten to publish it unless a ransom is paid.

Once infected with ransomware, organizations must decide if they are going to:

  • Pay the ransom and hope that malefactors return control, send decryption keys, or delete and not publish stolen information (not recommended since it doesn't always work and incentivizes criminals)
  • Wipe affected machines and restore data from backup
  • In the case of wipers, there is no choice but to rebuild from backups

Restoration is sometimes problematic if users or organizations haven't been keeping up with backups, or if backups have been contaminated by malware. Even if backups are readily available, time will be lost in cleaning up the compromised computers and restoring the data. Thus, preventing ransomware infections is preferred. However, no anti-malware product is 100% effective at prevention. It is still necessary to have good, tested backup/restore processes for cases where anti-malware fails.

Ransomware attacks often arrive as malicious links or weaponized Office docs via phishing campaigns. Disabling macros can help, but this is not universally effective since many users need to use legitimate macros. Ransomware can also come less commonly come from drive-by downloads and malvertising.

Viruses are far more sophisticated than they were decades ago. Now viruses are generally polymorphic, meaning they alter their structure to try to avoid detection upon every iteration. Viruses infect files and usually need user interaction to initiate a compromise. Worms are malicious code that spreads across unsecured networks, relying upon unpatched, compromised applications and unprotected ports. Rootkits are low-level malware usually implemented like device drivers in operating systems. Rootkits allow bad actors complete control of affected machines. Botnets are collections of controlled devices, often compromised by rootkits, that are used in large numbers to magnify other kinds of attacks, such as Distributed Denial of Service (DDoS) attacks, credential stuffing, account take-overs (ATOs), or other forms of cybercrime. Botnets can be composed of PCs, servers, smartphones, IoT devices, etc.

File-less malware is a malicious innovation that seeks to avoid signature-based anti-malware scanners by propagating between machines without being written and transferred as files. Instead, file-less malware is malicious code which spreads by process or memory injection. Once on a target device, file-less malware uses native tools like PowerShell or .NET to assemble and execute the malicious payload. File-less malware attacks are still on the rise.

All computing assets should have Endpoint Protection Detection & Response (EPDR) clients installed with up-to-date subscriptions. Windows platforms are still the most targeted, though there are increasing amounts of malware for Android. It is important to remember that Apple's iOS and Mac devices are not immune from malware, and as market share increases, particularly for Mac devices, the amount of malware for that platform will likely increase too.

EPDR solutions should be able to prevent malware execution in the vast majority of instances. In situations where compromises do happen, EPDR tools provide the ability to create alerts and reports, terminate offending processes, delete or move files, restore registries, automatically quarantine assets suspected of having been compromised, and in some cases, rollback compromised endpoints to known good states.


Full article is available for registered users with free trial access or paid subscription.

Register and read on!

Sign up for the Professional or Specialist Subscription Packages to access the entire body of the KuppingerCole research library consisting of 700+ articles.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package