Editor’s note: This is part three of a four-part series on applying automation to security operations.

Introduction

This is the third installment of our blog series on taking a practical approach to security automation. In our second blog, we explored the ways in which automation can be applied to phishing.

Today, we’ll continue with our discussion on automation, focusing on how it can be used to prevent the spread of malware. Similar to our previous blog on automation for phishing, we will break down the different aspects involved. As a reminder, the three distinct phases we will review are containment, investigation, and remediation.

Containment: Swift Response to Stop the Spread

When organizations consider adopting automation, containment is typically their first area of interest. During this phase, the objective is to minimize the blast radius of the attack within an organization’s network. These automations usually take place at the endpoint level, leveraging an EDR. Below are some examples of actions that can be taken automatically in response to malware-related detections such as Suspicious File Downloaded and Malware Executed. Prior to automating, be sure to review the key considerations outlined in the initial blog of this series.

Detection: Suspicious File Downloaded

Action Description Configuration Options to Further Minimize Risk
Initiate host scan Automatically initiates an on-demand scan of the specified host. Conduct global scan to uncover other potentially impacted hosts.
Quarantine file Moves the suspicious file into quarantine on the affected host.​ Define a list of critical applications that should not be quarantined automatically.

Detection: Malware Executed

Action Description Configuration Options to Further Minimize Risk
Isolate host Automatically isolate the affected device from the network to prevent further communication with malicious actors. Define a list of critical infrastructure that should not be isolated automatically.
Stop process and ban hash Adds the specified hash to global ban list(s) to stop current processes and prevent further execution on the network. Automatically run the hash against threat intelligence sources. If malicious, then continue with automation.

Investigation: Gain Insight for Informed Decisions

Once the machine is isolated and the initial threat has been contained, the investigative phase seeks to understand the full scope of the potential incident. In this phase, automation is focused on enabling the analyst to be more efficient and consistent in their investigations.

Outlined below are common questions that must be answered during the investigation of malware incidents. With the right platform, these questions can be answered automatically at machine speed through targeted queries with the organization’s connected technologies.

Before starting to automate, you must first have a clear understanding of the organization’s tech stack and the various data repositories available for investigation of a malware incident. These could include SIEM(s), EDR(s), and even several data lakes. Additionally, review the key considerations outlined in the initial blog of this series.

Query to Automate Insight Typical Data Source
What are the indicators of compromise (IoCs) associated with this malware incident? IoCs, such as file name and file hash, are run against threat intel to identify malicious activity. Endpoint detection and response (EDR), threat intelligence
What are the Indicators of Attack (IoAs) associated with this malware incident? IoAs look for common tactics and techniques such as execution, persistence, and lateral movement. Particularly useful in detecting file-less malware. User activity monitoring, EDR, security information and event management (SIEM)
What is the behavior and purpose of the malware? Using a sandbox environment for dynamic analysis helps to uncover the true purpose of the suspicious file. Sandbox
Where did the malware originate from? Identifying the source of the malware reveals the attack timeline and potential scope. Network perimeter (e.g., firewall, proxy, etc.), email gateway, SIEM
Where else may the malware have spread? It’s critical to identify whether this is a widespread threat or a targeted attack on a single machine. SIEM, EDR

Remediation: Recovery and Prevention

As the final phase of the malware automation playbook, remediation is responsible for recovery of affected systems and prevention of future malware incidents. While this stage will be influenced by the findings of the investigation, the general process can be accelerated through automation, which ensures every incident is remediated in a quick and consistent manner.

The chart below outlines the various automated actions that can be taken as part of the remediation phase for Suspicious File Downloaded and Malware Executed detections. These automated actions can either be platform- or human-initiated. Prior to automating, review the key considerations outlined in the initial blog of this series.

Detection: Suspicious File Downloaded

Action Description Configuration Options to Further Minimize Risk
Delete file Removes the suspicious file from the affected host.​ Confirm if the file was opened. If so, proceed to the next section for remediation of malware execution.
Block IoC Based on the investigative findings, block any associated IoCs (e.g., file name, hash, IPs, etc.). Use the results of threat intelligence and sandbox environment to confirm if it’s malicious before blocking.

Detection: Malware Executed

Action Description Configuration Options to Further Minimize Risk
Restore to pre-infected state Remove malicious file(s), clean registry, and remove persistence mechanisms. If files were impacted by ransomware, initiate rollback via shadow copies if available.
Terminate user session and force password reset Automatically terminate user session(s) and execute a password reset for the affected user account(s). Create a user account allowlist that prevents the automatic response action from locking out mission-critical service accounts.
Un-isolate host Restores full network connectivity for the affected device(s). Ensure incident forensics and remediation steps have been completed prior to restoring network connection.

Conclusion 

Weaving automation into the fabric of your malware response playbook enables you to respond to threats quickly and consistently. Across containment, investigation, and remediation, there are many opportunities to accelerate the process through a unified security operations platform. With the automation capabilities of the ReliaQuest GreyMatter security operations platform, you can reduce your response times from hours to mere minutes, all while minimizing the risk of human error.