You’ve discovered a compromised server or workstation. Congratulations! Your threat hunting and monitoring has paid off. The system is quarantined. Now what?
It’s easy to categorically repeat the best practice mantra “Always wipe a suspect system”. Do you wipe the system and start from scratch or do you try to fix it and return it to service more quickly? A full wipe may be a meaningless approach without a proper understanding of the relevant threat. For example, rebuilding a system where an attacker has dumped credentials without installing additional tools or establishing persistence does not accomplish any useful objectives, and only introduces downtime.
There may be as many as 3 options:
- Re-install/re-image
- Restore from backup
- Remediate
#1 is regarded as safest but you’ll need to figure out how the endpoint was compromised to make sure it doesn’t re-occur. #2 is only safe if you address the same issue and can be sure that the backup you use isn’t already compromised. #3 is often the fastest way to return a system to service but if you don’t remove every vestige of the infection, you will run the risk of never actually stopping the attack. It’s like taking out a tumor - you want to get every last bit but also allow the patient to return to their life as soon as possible.
Because of the prevalence of endpoint compromise today, the pressure is on to tackle this issue as efficiently as possible both in terms of speed and safety.
In this free virtual training, we will explore how to make the right decision about remediating vs re-installing. It’s different for each situation because of variables like:
- Risk level of the data involved on the compromised system
- Production and availability value of the processes or user who is interrupted
- Level of effort required to replace the system – it’s a highly customized configuration and software footprint that takes time to re-create and is prone to error? Or is it simply a node that can be discarded replaced with an identical twin within minutes?
- Risk level and sophistication of the infection
- Evidence of extended dwell time or other indicators that additional back doors may be lurking
In this webinar, we will show you a detailed example of how surgical remediation of malware is maturing as a technology and discipline. Ryan Campbell from our sponsor, CrowdStrike, will discuss the recent resurgence of Emotet and its evolution of evasion techniques. He will then take us through a step by step removal including:
- Identification and termination of malicious running processes
- Identification and deletion of residual file system artifacts on disk
- Identification and removal of persistence mechanisms in the registry, services, and elsewhere
Please join us for this technical and educational real training for free event.