Remediate or Re-install? 3 Steps for Surgical Removal of Malware
You’ve discovered a compromised server or workstation. Congratulations! Your threat hunting and monitoring has paid off. The system is quarantined. Now what?
It’s easy to categorically repeat the best practice mantra “Always wipe a suspect system”. Do you wipe the system and start from scratch or do you try to fix it and return it to service more quickly? A full wipe may be a meaningless approach without a proper understanding of the relevant threat. For example, rebuilding a system where an attacker has dumped credentials without installing additional tools or establishing persistence does not accomplish any useful objectives, and only introduces downtime. There may be as many as 3 options:
- Restore from backup
#1 is regarded as safest but you’ll need to figure out how the endpoint was compromised to make sure it doesn’t re-occur. #2 is only safe if you address the same issue and can be sure that the backup you use isn’t already compromised. #3 is often the fastest way to return a system to service but if you don’t remove every vestige of the infection, you will run the risk of never actually stopping the attack. It’s like taking out a tumor - you want to get every last bit but also allow the patient to return to their life as soon as possible.
Because of the prevalence of endpoint compromise today, the pressure is on to tackle this issue as efficiently as possible both in terms of speed and safety. In this free virtual training, we will explore how to make the right decision about remediating vs. re-installing. It’s different for each situation because of variables like:
- Risk level of the data involved on the compromised system
- Production and availability value of the processes or user who is interrupted
- Level of effort required to replace the system – it’s a highly customized configuration and software footprint that takes time to re-create and is prone to error? Or is it simply a node that can be discarded replaced with an identical twin within minutes?
- Risk level and sophistication of the infection
- Evidence of extended dwell time or other indicators that additional back doors may be lurking
In this webinar, we will show you a detailed example of how surgical remediation of malware is maturing as a technology and discipline. Ryan Campbell from our sponsor, CrowdStrike, will discuss the recent resurgence of Emotet and its evolution of evasion techniques. He will then take us through a step by step removal including:
- Identification and termination of malicious running processes
- Identification and deletion of residual file system artifacts on disk
- Identification and removal of persistence mechanisms in the registry, services, and elsewhere
Please join us for this technical education event.
Ryan CampbellAnalyst, Falcon Complete - CrowdStrike
Ryan Campbell is an Analyst for Falcon Complete. Ryan has served in various cyber security roles doing incident response and adversary research and reconnaissance. He now remediates malware with extreme prejudice as a Sr. Analyst on the CrowdStrike Falcon Complete team. Ryan holds a Bachelor of Science in Anthropology and Master of Science in Cybersecurity from Missouri State University. Outside of work, Ryan loves to spend time outdoors with his wife and two dogs either at the lake, city park, or out on the local hiking trails. He is also an avid reader and if not outside or tinkering on his computers, will likely be found with a Science Fiction/Fantasy book in his hands.