October 7, 2024
|
Infostealers series
October 7, 2024
|
Infostealers series
Preventing infostealer infections can be broken down into two key steps. While the first step is usually relatively straightforward, the second is often much more challenging.
As long as access from unmanaged devices is not fully eliminated, the organization remains vulnerable to infostealer infections. However, there are several measures you can take to significantly reduce this risk.
An effective measure to reduce the risks of infostealers is implementing Virtual Desktop Infrastructure (VDI), such as Citrix or VMware. VDI allows employees and external parties to work through a virtual environment. This means there is no direct access to internal systems from the local device; instead, access occurs via the VDI. The biggest advantage of this is that sessions cannot be transferred to the local device, greatly reducing the risk of session hijacking.
However, the degree of protection VDI offers against infostealers heavily depends on how the VDI is configured. Factors such as data storage on local devices and session management settings are crucial for the effectiveness of this solution.
Additionally, using Secure Browsers, such as Amazon Workspaces Secure Browser, provides an extra layer of protection against infostealers. As with VDI, the level of protection depends on how the secure browser is configured. The browser minimizes the risk by keeping infections contained within a controlled environment, without direct access to local or corporate systems.
Another strategy to limit the impact of infostealers focuses on reducing the validity period of session tokens. Session tokens are traded on infostealer marketplaces because they allow attackers to access systems without needing passwords. The shorter the session duration, the less likely attackers can successfully use stolen tokens.
For session tokens of applications installed on devices, additional measures can be taken to limit the validity of tokens based on geographic location and time. Microsoft offers several robust security options, such as implementing token protection and restricting token reuse to specific network environments. These measures help reduce the risk of attackers exploiting these tokens outside of authorized environments. Interested in learning more? Check out this Microsoft article. It's important to note, however, that these measures do not apply to session replay attacks involving browser-based sessions.
Even with all these security measures, some infostealers may still go undetected and gain access to internal systems. Therefore, it is crucial to continuously monitor whether infected devices are being sold on infostealer marketplaces, as offered by Passguard. Monitoring infostealer marketplaces helps detect stolen data being sold. This allows organizations to identify infected devices early and determine which access or data has been compromised. It provides a valuable opportunity to respond quickly before greater damage occurs.
Consider incorporating the human element of infostealer risks into your awareness campaigns. Many employees are unaware of the risks associated with using personal devices for business purposes. An effective awareness campaign can help educate employees about these dangers. It's important to inform them of the risks of illegal software downloads and using personal devices to log into corporate systems.
As long as access from unmanaged devices isn’t fully excluded, your organization remains vulnerable to infostealer infections. Fortunately, there are various measures to reduce the risk, such as VDI, secure browsers, shortening session duration, and token protection. Additionally, infostealer monitoring provides a way to continuously assess whether your security measures are effective.
Infostealer monitoring is valuable because it gives insight into the effectiveness of your security. If few new infections occur after implementing measures, or no suspicious activity is detected from new devices, that’s a good sign your security strategy is working. However, if you encounter serious infections, that’s a clear signal to consider additional measures and further improve your security. It’s up to you to find the right balance between reducing risks and maintaining functionality within your organization