Login  |  Register  |  Contact

Malware Analysis Quant: Metrics—Remediate

You know you have an infection, and you know which devices are affected. So what do you do? Fix them, of course! But now it gets fun – you have to decide whether to remediate the devices, fix them (assuming you don’t have a compelling reason to wait), test to make sure they are fixed, and then ensure you eradicated everything. Joy.

Let’s look specifically at what this really takes:

Remediate

Variable Notes
Time to determine remediation strategy Do you fix the device? Wipe it? Do something else?
Time to gain consensus on remediation strategy Make sure everyone agrees, especially if the decision is to not remediate for some reason.
Time to remediate device
Time to test remediation Today’s malware is hard to kill, so you need to make sure you’ve really gotten rid of it, unless you’ve wiped the device.
Time to isolate “Patient Zero” Identify initiator/root cause of the infection to ensure all examples are identified and remediated.
Time to determine whether inoculation is necessary Do you need to change a configuration setting or implement a specific control to address this infection?
Time to inoculate, if necessary Implement the additional controls and/or change the configurations.

We’re almost done. The next step is to define some metrics to monitor the environment continually for future outbreaks. You didn’t think you were done yet, did you? Good – attackers are never done, so neither are you. And you need to factor in the costs of monitoring for reinfection to accurately capture the cost of fighting malware.

—Mike Rothman

Previous entry: Malware Analysis Quant: Metrics—Find Infected Devices | | Next entry: Malware Analysis Quant: Metrics—Monitor for Reinfection

Comments:

Name:

Email:

Location:

URL:

Remember my personal information

Notify me of follow-up comments?