Handling Destructive Malware


 Destructive malware presents a direct threat to an organization’s daily operations, directly impacting the availability of critical assets and data. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. This publication is focused on the threat of enterprise-scale distributed propagation methods for malware and provides recommended guidance and considerations for an organization to address as part of their network architecture, security baseline, continuous monitoring, and Incident Response practices.

While specific indicators and modules related to destructive malware may evolve over time, it is critical that an organization assess their capability to actively prepare for and respond to such an event.

Potential Distribution Vectors

Destructive malware has the capability to target a large scope of systems, and can potentially execute across multiple systems throughout a network. As a result, it is important for an organization to assess their environment for atypical channels for potential  malware delivery and/or propagation throughout their systems. Systems to assess include:

  • Enterprise Applications – particularly those which have the capability to directly interface with and impact multiple hosts and endpoints. Common examples include
    • Patch Management Systems,
    • Asset Management Systems,
    • Remote Assistance software (typically utilized by the corporate Help Desk),
    • Anti-Virus,
    • Systems assigned to system and network administrative personnel,
    • Centralized Backup Servers, and
    • Centralized File Shares.

While not applicable to malware specifically, threat actors could compromise additional resources to impact the availability of critical data and applications.  Common examples include:

  • Centralized storage devices
    • Potential Risk – direct access to partitions and data warehouses;
  • Network devices
    • Potential Risk – capability to inject false routes within the routing table, delete specific routes from the  routing table, or remove/modify configuration attributes - which could isolate or degrade availability of critical network resources ...Click Here