Malware Analysis Quant: Metrics—Remediate
You know you have an infection, and you know which devices are affected. So what do you do? Fix them, of course! But now it gets fun – you have to decide whether to remediate the devices, fix them (assuming you don’t have a compelling reason to wait), test to make sure they are fixed, and then ensure you eradicated everything. Joy.
Let’s look specifically at what this really takes:
|Time to determine remediation strategy||Do you fix the device? Wipe it? Do something else?|
|Time to gain consensus on remediation strategy||Make sure everyone agrees, especially if the decision is to not remediate for some reason.|
|Time to remediate device|
|Time to test remediation||Today’s malware is hard to kill, so you need to make sure you’ve really gotten rid of it, unless you’ve wiped the device.|
|Time to isolate “Patient Zero”||Identify initiator/root cause of the infection to ensure all examples are identified and remediated.|
|Time to determine whether inoculation is necessary||Do you need to change a configuration setting or implement a specific control to address this infection?|
|Time to inoculate, if necessary||Implement the additional controls and/or change the configurations.|
We’re almost done. The next step is to define some metrics to monitor the environment continually for future outbreaks. You didn’t think you were done yet, did you? Good – attackers are never done, so neither are you. And you need to factor in the costs of monitoring for reinfection to accurately capture the cost of fighting malware.