October 7, 2024

|

Infostealers series

How Do I Prevent Infostealer Infections?

Preventing infostealer infections can be broken down into two key steps. While the first step is usually relatively straightforward, the second is often much more challenging.

  1. Well-secured managed devices
    Managed devices within organizations are typically equipped with professional security solutions like EDR/XDR (Endpoint/Extended Detection and Response). These systems are designed to quickly detect and neutralize both known and new infostealers. However, it's important to ensure that existing security measures are up-to-date and functioning optimally. If there’s room for improvement, strengthen your security layers to stay ahead of new threats.
  2. No access from unmanaged devices to internal environments
    This is often a more complex and difficult issue to manage. Employees' personal laptops and external vendors' computers often access internal systems but lack the same strict security as managed devices. This makes these devices a weak spot that is hard to control. Unmanaged devices are more vulnerable to infostealer infections, increasing the risk of data breaches.

As long as access from unmanaged devices is not fully eliminated, the organization remains vulnerable to infostealer infections. However, there are several measures you can take to significantly reduce this risk.

Restrict access from devices (VDI or Secure Browser)

An effective measure to reduce the risks of infostealers is implementing Virtual Desktop Infrastructure (VDI), such as Citrix or VMware. VDI allows employees and external parties to work through a virtual environment. This means there is no direct access to internal systems from the local device; instead, access occurs via the VDI. The biggest advantage of this is that sessions cannot be transferred to the local device, greatly reducing the risk of session hijacking.

However, the degree of protection VDI offers against infostealers heavily depends on how the VDI is configured. Factors such as data storage on local devices and session management settings are crucial for the effectiveness of this solution.

Additionally, using Secure Browsers, such as Amazon Workspaces Secure Browser, provides an extra layer of protection against infostealers. As with VDI, the level of protection depends on how the secure browser is configured. The browser minimizes the risk by keeping infections contained within a controlled environment, without direct access to local or corporate systems.

Shorten session validity

Another strategy to limit the impact of infostealers focuses on reducing the validity period of session tokens. Session tokens are traded on infostealer marketplaces because they allow attackers to access systems without needing passwords. The shorter the session duration, the less likely attackers can successfully use stolen tokens.

For session tokens of applications installed on devices, additional measures can be taken to limit the validity of tokens based on geographic location and time. Microsoft offers several robust security options, such as implementing token protection and restricting token reuse to specific network environments. These measures help reduce the risk of attackers exploiting these tokens outside of authorized environments. Interested in learning more? Check out this Microsoft article. It's important to note, however, that these measures do not apply to session replay attacks involving browser-based sessions.

Infostealer monitoring

Even with all these security measures, some infostealers may still go undetected and gain access to internal systems. Therefore, it is crucial to continuously monitor whether infected devices are being sold on infostealer marketplaces, as offered by Passguard. Monitoring infostealer marketplaces helps detect stolen data being sold. This allows organizations to identify infected devices early and determine which access or data has been compromised. It provides a valuable opportunity to respond quickly before greater damage occurs.

Awareness

Consider incorporating the human element of infostealer risks into your awareness campaigns. Many employees are unaware of the risks associated with using personal devices for business purposes. An effective awareness campaign can help educate employees about these dangers. It's important to inform them of the risks of illegal software downloads and using personal devices to log into corporate systems.

Conclusion

As long as access from unmanaged devices isn’t fully excluded, your organization remains vulnerable to infostealer infections. Fortunately, there are various measures to reduce the risk, such as VDI, secure browsers, shortening session duration, and token protection. Additionally, infostealer monitoring provides a way to continuously assess whether your security measures are effective.

Infostealer monitoring is valuable because it gives insight into the effectiveness of your security. If few new infections occur after implementing measures, or no suspicious activity is detected from new devices, that’s a good sign your security strategy is working. However, if you encounter serious infections, that’s a clear signal to consider additional measures and further improve your security. It’s up to you to find the right balance between reducing risks and maintaining functionality within your organization