SpyCloud launched Compass, a transformative solution to help businesses detect and respond to the initial precursors of ransomware attacks.
Compass provides definitive proof that data lifted by malware infections is in the hands of cybercriminals and provides a comprehensive approach to incident response for malware-infected devices, known as Post-Infection Remediation.
Application information and stolen cookies from infected employee and contractor devices are often used by ransomware operators and Initial Access Brokers (IABs) to identify targets and infiltrate corporate networks undetected.
As remote workers and contractors increasingly blur the lines between managed and unmanaged device usage, malware infections on employee-owned systems enable cybercriminals to bypass traditional ransomware protection solutions, including endpoint protection. Every time an employee logs in to work on an infected device, bad actors have an easy path to workforce applications used for single-sign on (SSO) authentication, remote access portals, virtual private networks, code repositories, accounting applications and other critical business systems.
In the 2022 SpyCloud Ransomware Defense Report, 87% of organizations surveyed indicated concern about infostealer malware on unattended devices creating ransomware entry points. Even with this concern, most companies allow employees to access corporate applications on unmanaged, personal devices and rely on vendors and contractors with BYOD policies or lax controls on managed devices, widening the attack surface for adversaries to exploit.
Security Operations Center (SOC) teams can use SpyCloud Compass to identify when devices, applications and users are compromised by malware, even if the infected device or business application falls outside the company’s control. Incident responders can visualize the scope of each threat at a glance and see all the necessary details needed to quickly remediate. This reduces the legwork of investigating the potential impact of a compromised device, allowing them to move quickly from detection to response.
With Post-Infection Remediation, a comprehensive approach to remediating malware infections, security professionals now have a number of steps they can include in their traditional incident response playbooks to properly mitigate the potential for ransomware and other cyber attacks by resetting application credentials and invalidating session cookies. infostealer malware.
“When a piece of data is compromised by malware, that data doesn’t just disappear – but many companies don’t fully realize the long-term implications for their ransomware risk,” said Ted Ross, CEO of SpyCloud. “Compass was designed to address this problem. It reduces enterprise exposure by arming the security team with knowledge of the infected devices accessing critical workforce applications. Without addressing these exposures, the door is open for attackers to access, steal, encrypt and even delete corporate data.”
SpyCloud’s solution stands alone with the ability to support Post-Infection Remediation and prevent cyber criminals from launching a full cyber attack. By acting on the information cybercriminals have obtained from an infostealer malware infection, security teams can now remediate vulnerable access points—significantly shortening the ransomware exposure window.
“The post-infection remediation process is often overlooked when it comes to dealing with malware,” Ross said. “Wiping the infection off a device may cut the connection with the criminal, but it doesn’t address the authentication and access data they’ve already stolen. Post-infection remediation is now a requirement for organizations looking to address the gaps in their frameworks for ransomware prevention.”
SpyCloud Compass enables organizations to:
- Reduce their risk of ransomware by identifying hard-to-detect malware infections that provide entry points to bad actors
- Identify threats outside the company’s control, such as employees’ and suppliers’ malware-infected personal devices that have been used to access workforce applications
- Shorten incident response times when investigating the potential impact of an infected device
- Reduce long-term malware risks by taking incident response beyond standard device remediation
- Highlight previously unseen compromised assets, including credentials and cookies for third-party applications such as SSO, VPN, CRM, etc.
- Focus on high-priority threats based on definitive indicators of malware-infected devices and exposed applications on the corporate network