Every organization has external assets that are necessarily exposed—not only to customers and users but also, unfortunately, to malicious actors. Lumu Discover provides insights into the presence of infostealers within your external surface. However, finding and removing those infostealers requires action. In this playbook, we will explore the steps you can take to remove these infections and enhance your cybersecurity posture.

This playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61 R2, the incident response life cycle has four main phases, as described in the following illustration.

Preparation

This section outlines the essential steps to proactively prepare for responding to and addressing infostealer infections as they are detected. These measures ensure that the organization is well-equipped to efficiently identify, evaluate, and remediate infostealer-type malware.

How Lumu Helps:

• Lumu Discover detects adversarial infrastructure linked to Infostealer campaigns, providing detailed visibility into affected devices, malware paths, infection timelines, SaaS cookies, and compromised credentials (both corporate and personal).
• Lumu’s Continuous Compromise Assessment® illuminates any endpoints communicating with malicious infrastructure, ensuring no device in your network is overlooked.

Recommended Actions:

1. Infrastructure Readiness:

• Deploy the Lumu collectors that better suit your organization to ensure comprehensive visibility into your network’s traffic.Bear in mind that the Lumu Defender tier offers asset-level visibility and the widest array of collectors and integrations.
• Integrate Lumu’s Continuous Compromise Assessment® into your cybersecurity stack to identify phishing and/or malware delivery campaigns targeting employees using Lumu’s wide array of Out-of-the-box and custom integrations.
• Implement and integrate endpoint detection and response (EDR) solutions with Lumu for seamless visibility and faster threat detection.

2. Credential Security:

• Implement Multi-Factor Authentication (MFA) across all corporate applications and systems. Additional layers of security bound to inherent aspects and/or possessions of users will make it harder for adversaries to gain access to company accounts.
• Ensure all passwords follow strong policy guidelines (e.g., length, complexity). A longer password with more characters exponentially increases the number of possible combinations, making it significantly more challenging for attackers to guess, even if the individual characters used are simpler. If you add special characters and capitalization on top, you will create exceptionally safe passwords.

3. Employee Awareness Campaigns:

• Cybersecurity unawareness is a fatal weakness for any organization, and the only way to address it is through training. Train all your employees and collaborators to easily recognize phishing emails and to avoid suspicious links and downloads.
  
  • Throughout the training program, highlight Infostealer tactics as a possible avenue for the adversary, for example, malicious software that mimics legitimate applications as well as techniques used to exfiltrate browser credentials..

4. Data Backup and Segmentation:

• Create periodic backups of your critical assets. This will allow you to easily eliminate stubborn threats, and to recover from any potential catastrophic scenarios with ease.
  
  • Always remember to keep your backups segmented. This will allow you to restore affected assets securely without worrying about bringing the infection back as well. Also, remember to maintain important assets isolated from operational networks.
• Recovery may include foregoing all locally stored data,, which is why you must train all your workforce to store sensitive data on approved, monitored, online shared drives rather than local device storage.

Detection & Analysis

During this stage, you must make good use of the groundwork laid during the preparation stage, and focus on identifying, validating, and understanding Infostealer infections and their potential impact.

How Lumu Helps:

• Lumu enables you to quickly identify compromised endpoints and delivers detailed infection intelligence, including malware paths, infection dates, and last update timestamps. This comprehensive insight provides a clearer understanding of your organization’s malware situation.
• The Lumu Portal’s Compromise Radar allows you to see malicious activity patterns, highlighting the devices that present the most risk to the network, and the severity of the detected cases of compromise.
• Lumu Discover provides a comprehensive breakdown of all of your organization's stolen SaaS cookies and credentials, revealing both the corporate and personal accounts of collaborators that present a risk to your network’s cybersecurity.

Recommended Actions:

1. Identify Compromised Assets:

• Use Lumu’s IoC reports to pinpoint infected devices, analyze the malware’s path across your network, and determine the infection timeline.
• Validate all of your organization’s endpoints, including personal or external devices used with corporate credentials. This way, any gaps in visibility will be addressed.

2. Investigate Adversarial Tactics:

• Examine browser logs, suspicious application behaviors, and unusual SaaS activity for signs of credential theft or exfiltration attempts.
• Investigate potential communication attempts with adversarial servers for data exfiltration patterns or recurring contacts with potentially malicious infrastructure.

3. Assess Impact:

• Cross-reference compromised credentials, cookies, and stolen data with corporate asset inventories to understand the scope of the breach.
• Assess potential misuse of personal credentials that overlap with corporate accounts to prevent lateral movement.

4. Validate Configuration and Educate:

• Ensure your deployed Lumu collectors are properly configured to capture all the network traffic from all the endpoints in your network.
• Educate employees on the risks of using personal devices or unsecured networks for corporate activities.

Containment, Eradication & Recovery

During this stage, you must focus on mitigating risks from any identified infostealer infections, stopping the spread of the threat, eliminating it, and restoring any affected operations securely.

How Lumu Helps:

• Lumu provides actionable intelligence, including malicious domains, IPs, URLs, and detailed device-level insights, to guide containment and eradication.
• Lumu’s Continuous Compromise Assessment® permanently monitors for signs of lingering infections to prevent recurrence.

Recommended Actions:

1. Containment:

• Immediately disconnect any infected devices from the network to prevent further communication with adversarial infrastructure, and any lateral movement of the infection within the network.
• Block malicious domains, IPs, and URLs using firewall rules, DNS filtering, or email security gateways. Also, remember that by using Lumu’s Out-of-the-box integrations, you can share threat intelligence between Lumu and your cybersecurity stack, allowing you to respond and prevent contact faster than humanly possible.

2. Eradication:

• Use endpoint security tools to identify and remove Infostealer malware from infected systems, following the malware path identified by Lumu.
• Reset the credentials for all impacted accounts, prioritizing those with corporate clearance level, to effectively prevent unauthorized access, especially to your most sensitive data.
• Delete or reset compromised SaaS cookies to prevent the attacker from accessing your organization’s assets using that pathway.

3. Recovery:

• Restore infected systems using secure, clean backups. If your network and backups are properly segmented, as recommended by this playbook, this process should be way easier and efficient.
• Conduct a full network and system scan to ensure no residual malware or malicious configurations remain.
• Reintegrate devices into the network only after thorough validation and monitoring.

Post-Incident Activity

Make the best out of what was learned while handling a potential crisis. Focus on improving vulnerability management practices and preventing future incidents.

How Lumu Helps:

• Lumu’s Continuous Compromise Assessment® uninterruptedly monitors for any lingering adversarial communication to confirm that the infection has been totally eradicated.
• Lumu Discover offers insights into compromised credentials and device behaviors to refine security measures and user education.

Recommended Actions:

1. Root Cause Analysis:

• Investigate how the Infostealer malware infiltrated the network, whether through phishing, malicious downloads, or misconfigured endpoints. This way, you can strengthen the gaps used by the adversary and prevent future incidents.
• Identify vulnerabilities or user behaviors (e.g., poor password hygiene, lack of MFA) that contributed to the compromise. You can use the derived information to create targeted and specialized training in the future.

2. Policy and Process Refinement:

• Strengthen access controls and update security policies to minimize exposure to similar threats.
• Mandate MFA for all of your organization’s accounts and ensure passwords are updated across the whole post-incident.
• Conduct targeted education campaigns, focusing on users whose accounts or behaviors were compromised. You can also focus your training in specific areas using the intelligence gathered while handling the incident.

3. Enhance Visibility and Detection:

• Expand Lumu’s coverage by integrating its capabilities with other security tools (e.g., EDR) using Lumu’s integrations. If you haven’t integrated Lumu with the rest of your stack up to this point, the second-best time is right now.
• Perform periodic compromise assessments using Lumu to detect and remediate vulnerabilities before exploitation.

4. Documentation and Communication:

• Document the incident’s timeline, impact, and resolution for internal and external stakeholders. You can use them to create incident scenarios to test the resilience of the network, and the effectiveness of your collaborator’s training.
• Share lessons learned and recommended improvements with the broader security team and leadership. You can use the gathered data to propose infrastructure improvements, new acquisitions, or better uses of company resources to strengthen your organization’s cybersecurity posture.