Endpoint Attacks Tips and Best Practices

Tuesday, May 30th, 2023


Cyber security risk management solutions from DefenseStorm.

By following a well-established response plan for Endpoint Attacks, organizations can help ensure the confidentiality and integrity of their systems and data.

In today’s digital environments, the threat of an actual, legitimate malware infection on an endpoint is very real and poses a significant risk to your organization, if not handled properly. A fast and ordered response to Endpoint Attacks is crucial for minimizing the impact and damage of an infection and for the protection of sensitive information. The reality is not if an infection occurs, but when. By following a well-established response plan, organizations can help ensure the confidentiality and integrity of their systems and data.

Listed below are some general guidelines and observed industry practices* to help bolster or enhance your existing response plan after the detection of an Endpoint Attack. These guidelines assume a malware incident has already been detected. These are just guidelines, and actual response can and likely will vary depending on current resources, existing policies, and the severity of the infection. To ensure the continued effectiveness of your institutions cyber security risk management, DefenseStorm recommends following your existing incident response plan and processes/procedures for handling compromise and infection.

STEP 1: Disconnect the problem machine from your network.

While we do not promote one solution over any other, we recommend using a sandbox solution to disconnect the host from the network. If none are available, disconnect the host from all network connections. This prevents the malware from spreading or calling home. If you have the ability to quarantine a device via an EDR tool or another method, this offers a workable solution in most cases as well. If all of the above is not possible, shut the device down. While forensic evidence may be lost, the protection of your employees, assets, and network is most important.

STEP 2: Delete or remove the infection source if possible.

If an email is the source, try to remove it from all inboxes. If a file or file share is the source, delete the file or, at minimum, restrict access to the location the infection resides. This will help prevent further spread inside of your environment.

STEP 3: Reset passwords and/or disable accounts.

Depending on the type of compromise or infection, at minimum, reset passwords for impacted users. Depending on the depth and access of potential bad actors, accounts of compromised individuals should likely be disabled.

STEP 4: Halt any occurring backups for infected devices.

Stopping backups will help ensure that in the event of a data restore, you are not re-infecting hosts, causing additional clean up.

STEP 5: Create a forensic backup of the impacted devices.

This will help with post-incident investigation and remediation and give responders an accurate representation of the endpoint to work from. In addition, if subsequent data on disk recovery is needed, this will help serve as a source for acquisition and from a more controlled, non-interactive source.

STEP 6: Re-image the machine and scan.

Re-imaging is a sure way to remove rootkits and registry entries from machines, along with hidden persistence that can come along with malware infections. It is considered by most the best method to help ensure the infection is eradicated from a host. That being said, policies around data restoration to a newly re-imaged machine should be in place and followed along with scanning any newly restored device to make sure backups are not compromised. Remember, using more than one scanning tool or method is seen as a best practice.

STEP 7: Reporting and Lessons Learned

Documenting the incident is important. Internal reporting does not necessarily have to be overly technical, but it should answer the basic questions of Who, What, When, Where, Why, and How and add some detail around each one. It serves as a record of what happened, provides a reference if a third party becomes involved, and provides historical context should another similar or like, incident occur. Reviewing the report and evaluating the details allows putting controls in place, policy changes, software configuration changes, patching, training, or other remediation efforts to try to best ensure the risk of the event happening again is reduced.

STEP 8: Continued Monitoring

After all the above steps have been completed, continue to monitor the host for a minimum of 7 days to look for indicators of re-infection or risky user behavior and address them as needed with the employee or parties involved.

Properly handling malware infections on endpoints is crucial for protecting sensitive information and minimizing damage. Organizations should have a well-defined response plan in place to ensure the confidentiality and integrity of their systems and data.

*These are only suggestions based on industry-observed practices. This list is not exhaustive and is not intended to be a substitute or replacement for any existing policy, procedure, or incident response plan you have in place. DefenseStorm recommends following your existing plan and processes/procedures for handling Endpoint Attacks.

James Bruhl

James Bruhl

Director of Cyber Threat Intelligence

James Bruhl is the Director of Cyber Threat Intelligence for DefenseStorm. He joined the company with 15 years of experience as a law enforcement officer, bringing extensive experience in crime prevention, evidence collection, investigative techniques, and crisis management. Driven by a passion for technological advancements and the ever-evolving landscape of digital threats, he transitioned to the field of digital forensics, incident response, and cybersecurity. In his role, he honed his skills in analyzing digital evidence, identifying cyber threats, and implementing robust security measures specializing in forensic examinations on various devices to uncover critical information and support investigations. James began at DefenseStorm as a security engineer in 2020 and developed DefenseStorm’s EDR Service. He was then appointed as Director of Cyber Threat Intelligence in 2022 and is responsible for nearly all facets of the EDR service. During his cyber career, James has been instrumental in proactively detecting and responding to cyber incidents and plays a vital role in incident response teams, coordination efforts to mitigate the impact of breaches, vulnerability identification, and strategy implementation to prevent future attacks. He continues to share his expertise by conducting training sessions, participating in conferences, and writing articles on topics related to digital forensics, incident response, and cybersecurity. James holds a bachelor’s in criminal justice from the University of North Georgia and a GCFE certification.