Malware Alert Investigation

A Malicious Enemy

Attacks involving malware are one of the most common tactics used by cybercriminals. The number of daily detected malware is increasing on average and the types and variations continue to evolve. Organizations need to improve and speed up their threat response procedure and strategies to detect and contain malicious software as quickly as possible. The solution is to automate malware detection and containment.

Through the Detective Lens of Automation

Using automated playbooks, a malware attack can be automatically detected, investigated, and contained even before it spreads and damages your network.

The malware alert investigation playbook performs the following tasks:

Incident Trigger

Incident Trigger

Upon getting an alert from the SIEM, the playbook automatically creates an incident in the Cyware Fusion and Threat Response (CFTR) platform.

Incident Enrichment

Incident Enrichment

The incident enrichment process comprises of several steps:

  • Threat Intelligence Lookup: After the Incident has been created, a threat intelligence lookup is initiated to fetch more information about the malware detected from Cyware Threat Intelligence eXchange (CTIX) or VirusTotal.
  • User Enrichment: The playbook then queries Active Directory to fetch the user details.
  • Asset Enrichment: As a last step in the incident enrichment process, a query to the CMDB is made to fetch the asset details associated with the affected user.
Response and Remediation

Response and Remediation

The response and remediation process comprises of several steps:

  • Containment:
    • If the hash is found to be malicious, an action is initiated to block it in the Endpoint Detection and Response (EDR) tool.
    • For Desktop / Laptop: The asset is quarantined using NAC / EDR, to prevent the malware spread on other assets in the network.
    • For Server:
      • The asset quarantine ticket is created in the ticketing system and assigned to the respective asset owner.
      • A mobile notification is sent via the Cyware Situational Awareness Platform (CSAP) to the asset owner for immediate attention.
  • Security Control Remediation:
    • The affected user’s system is checked for the existing security controls installed.
    • If the security controls are missing, a ticket is raised in the ITSM tool for remediation.
Threat Correlation

Threat Correlation

The playbook automatically queries CTIX or malware sandbox results to identify the associated TTPs of the malware for further investigation and threat correlation.

Learning and Closure

Learning and Closure

As a final step, an action is created in CFTR to provide remediation and document all lessons learned. Once all the investigation actions are completed, the incident is closed.

Malware Alert Investigation

Download this Use Case for More Information

Cyware Advantage

End-to-End Visibility

Security automation allows you to gain complete visibility into malware campaigns by performing investigations at machine speed using past threat data and enrichment from multiple intel sources.

Reduce Malware Risk

By leveraging security automation, you can lower the risk of malware infection by monitoring all malware-related activities and analyze critical detection parameters for IOCs, tactics, and techniques.

Draw Contextual Intelligence

The automated playbook helps you draw contextual intelligence on related threat campaigns, predict attackers’ next actions, and observe the threat patterns, by correlating seemingly isolated threats and incidents.

The Virtual Cyber Fusion Suite