Companies of all sizes insufficiently protect their infrastructure or procure important products that provide IT with "Security Information and Event Management", for example. In almost all cases, there is no tailored, product-independent solution to perform automated initial response to serious security incidents. Two things are certain: a complex Trojan can only be made more difficult to attack with automated processes in the first few seconds, and users in the company will run Trojans recurrently regardless of any sensitization measures.
The crime scene
After the last conference, "Mr. W" checks the incoming emails. In one email, an important recent purchasing transaction is escalated. The sender is known to "Mr. W". "Mr. W" tries to open the PDF. The loading bar of the PDF application appears and disappears after a few seconds without an error message. It is already late and the sender is only available in the mornings on this day of the week, so "Mr. W" ends his workday.
The attack
A personalized attack is launched on "Mr. W's" company. Even before "Mr. W" logs off, the attackers have, within a few minutes, automated their own encrypted tunnel into the company network, rich information about the company's infrastructure the identities of "Mr. W" and a deployed service account used on the company's workstations with local system privileges installed malware collection on the temporarily disabled workstation of "Mr. W".
The countermeasures
An automated attack must be responded to with automated countermeasures in order to minimize the damage. It must also be possible to identify the workstation of the perpetrator "Mr. W" in the company's network when a local report of detected malware on a remote file server is triggered. Once identified, forensic data must be collected and the user account and workstation isolated for subsequent manual action. Finally, a comprehensive report and notifications of the incident must be sent out to the enterprise, and reactive manual actions are required in the aftermath. No more than five seconds should elapse from the time a malware is detected to the time the perpetrator and his or her workstation are isolated.
The technology
In the company's infrastructure, when malicious code is executed, events can indicate a malware incident early on and trigger an automated process that checks the situation under an algorithm. Each server can initiate this process without the use of service accounts, communicate and exchange information. In mutual communication, jobs can be sent to other systems. Identification and isolation of the originator complement dedicated auxiliary systems.
The effort
Such an automation project begins in the enterprise with the realization that measures against malware need to be handled in an automated way. The intelligence lies in the code and in the architecture. The individual infrastructure of each company is taken into account and no requirements are placed on specific products or antivirus programs. After a quarter of development work, the first version of the "antivirus extension" can provide supplementary protection for the company and, in the event of danger, valuable preliminary work for the IT security department.