In a new survey, nearly all respondents agreed better visibility into applications exposed by infostealer infections would significantly improve security.
Most organizations understand the threat of malware, but digital transformation and hybrid work models make it easy for cybercriminals to exploit hidden security gaps. This is among the conclusions from SpyCloud’s Malware Readiness & Defense Report. The benchmark survey of nearly 320 mid-market and enterprise IT security professionals from the U.S. and UK examines how organizations are detecting and addressing the threat of malware as a precursor to cyberattacks like account takeover and ransomware.
Security leaders are concerned about attacks that leverage malware-exfiltrated authentication data, with more than half (53%) expressing extreme concern and less than 1% admitting they weren’t concerned at all, according to the report. However, many still lack the necessary tools to investigate the security and organizational impact of these infections and effectively mitigate follow-on attacks – with 98% indicating better visibility into at-risk applications would significantly improve their security posture.
While increased visibility into stolen authentication details for SSO and cloud-based applications ranks high, human behavior continues to plague IT security teams. The most overlooked entry points for malware include:
- 57% of organizations allow employees to sync browser data between personal and corporate devices, enabling threat actors to siphon employee credentials and other user authentication data through infected personal devices while remaining undetected.
- 54% of organizations struggle with shadow IT due to employees’ unsanctioned adoption of applications and systems, creating gaps not only in visibility but also in basic security controls and corporate policies.
- 36% of organizations allow unmanaged personal or shared devices to access business applications and systems, opening the door for devices lacking robust security measures to access sensitive data and resources and minimizing oversight security teams require for proper monitoring and remediation.
Seemingly innocuous actions like these can inadvertently expose organizations to malware and follow-on attacks including ransomware stemming from the stolen access details. According to SpyCloud research, every infection exposes access to an average of 26 business applications.
“While most organizations understand the general and pervasive threat of malware, digital transformation and hybrid work models create a perfect environment for criminals to take advantage of hidden security gaps,” said Trevor Hilligoss, Senior Director of Security Research at Austin, TX-based SpyCloud. “Criminals are exploiting these vulnerabilities by taking advantage of lax cyber behaviors and deploying infostealers designed to swiftly exfiltrate access details beyond passwords. These days, authentication cookies that grant access to valid sessions are one of the most prized assets for perpetrating next-generation account takeover through session hijacking – bypassing passwords, passkeys, and even MFA.”
the malware response struggle
Detecting and acting on exposures quickly is critical to disrupting malicious actors attempting to harm the organization. Yet the survey revealed many are struggling with routine responses to malware infections: 27% don’t routinely review their application logs for signs of compromise, 36% don’t reset passwords for potentially exposed applications, and 39% don’t terminate session cookies at the sign of exposure. Attacker dwell time has been growing according to recent research, providing malicious actors ample time to operationalize data exfiltrated by malware. Limited visibility hinders mean-time-to-discovery (MTTD) and mean-time-to-remediation (MTTR), which exacerbates risks to the business and drains resources.
“An identity-centric approach is more thorough as the ultimate goal is to better address the growing attack surface tied to an individual user that puts the business at risk.”
— Trevor Hilligoss, Sr Director of Security Research, SpyCloud
“Breaking bad habits requires time and resources most organizations can’t afford and have a hard time finding in the first place. To reduce the risk created by unauthorized account access, infected devices and human error, they need a new approach for detecting and remediating malware. For many security teams, responding to infections is a machine-centric process that involves isolating and clearing the malware from the device. However, an identity-centric approach is more thorough as the ultimate goal is to better address the growing attack surface tied to an individual user that puts the business at risk,” Hilligoss explained.
In the first half of 2023, SpyCloud researchers found that 20% of all recaptured malware logs had an antivirus program installed at the time of successful malware execution. Not only did these solutions not prevent the attack, they also lack the automated ability to protect against any stolen data that can be used in the aftermath.
With this struggle for visibility and comprehensive response, there is a clear need for security teams to implement a more robust, identity-centric Post-Infection Remediation approach to disrupt criminals before they are able to use malware-exfiltrated data to further harm the business. Key to this framework is augmenting existing malware infection response with steps to reset exposed credentials and invalidate active sessions compromised by infostealers.
Download the full report here.