In a recent blog post, Gartner’s Anton Chuvakin wrote about “Using EDR for Remediation?” He defines remediation as “putting it the way it was.” NIST, in its Incident Handling Guide, goes into a little more detail - defining remediation as containment, eradication and recovery.
In reality, remediation is not simple at all, and remediation goes way beyond what any one tool can do. For remediation, there is no “one size fits all”, and as Chuvakin stated, full automation is probably not a good approach for remediation, as any attack would have its own effect and require a different response.
There are several steps in remediation. You need to:
- Work out the scope of the attack. This involves finding the devices that have been compromised, finding accounts that are being used as part of the attack and looking for other users and machines that might be exhibiting related behaviors.
- Shut down the immediate attack activities. When you’re ready, you need to stop any ongoing activities that might result in damage to the business. This may be after a period of observation when you work out who the attacker is and what they want, but eventually you’re going to want to shut the attack down. This means:
- Getting rid of the malware on endpoints. This includes shutting down processes, quarantining files and deleting registry keys.
- Stopping any compromised users from accessing the system. Sometimes attackers may have legitimate credentials. Shutting them down means changing credentials or deleting compromised accounts.
- Shutting down network communications. Without network communications it’s darned near impossible for the attack to progress. Identify command and control, lateral movement and any exfiltration going on and block it.
- Resume normal operations. Depending on how pervasive and well-known the threat is, you may get away without having to re-image affected devices, but many security professionals will still want to re-image, just to be on the safe side. Plus if data has been destroyed, you’ll need to restore from backups, and there may be a few awkward conversations with customers, partners and law enforcement to be had.
Our recent release of Cybereason Guided Remediation streamlines and automates remediation processes where and when possible. Our latest release helps:
- Eliminate and contain the immediate threat. Cybereason enables you to shut down a malicious processes with a single click as well as modify registry keys and quarantine files. This enables you to stem the bleeding and slow down the attacker sufficiently so that you can triage the next steps you need to take.
- Identify the root cause of the problem. Cybereason can show you all the tools, tactics and procedures being used, so you can identify what are the likely goals of the attack and decide what response strategy to take.
- Show you where else to concentrate your remediation efforts. We’ll show you the suspicious users that are likely compromised, and the resources that they are using and accessing. This helps you understand the full range of activities beyond the endpoints that you’ll need to undertake to fully recover from the attack.
This is just the first step Cybereason is taking to help you remediate a cyberattack. We are currently developing additional capabilities to streamline the process of incident response and enable effective remediation of advanced threats. This includes new features that will enhance an organization's capabilities to contain, eradicate and recover from an attack.
Paul Stamp is the Director of Product Marketing at Cybereason.