Threat Containment During Incident Response
When malware finds its way into the enterprise, incident responders need to react quickly to locate and contain the threat on its path towards eradicating it from the environment. Armed solely with investigative Endpoint Detection and Response (EDR) and forensics tools, incident response (IR) teams often resort to taking affected systems offline or whole network segments, which is highly disruptive to business users. They also find themselves having to take manual action to terminate the offensive processes and eradicate the threat. This is a time-consuming, error-prone effort that requires deep expertise and can quickly drain the individuals involved in the efforts that often feel like the game of Whac-A- Mole. Minerva offers a more automated and precise way to contain incidents.
While Minerva Labs is often deployed as a proactive measure to strengthen endpoint security across the enterprise, it is also a powerful tool in the hands of an incident response team reacting to an intrusion. In this scenario, Minerva not only disables malware that bypassed security controls, but also contains it to give responders time to contain and eradicate the threat. This includes the ability to automatically disarm malware, containing the threat without having to take the system offline. Minerva also offers the ability to generate vaccines for the malware in case of an outbreak, so that such samples refuse to run on the endpoint because they “believe” the system is already infected.
Key benefits to incident response teams:
Quickly neutralize active threats without manually interacting with malware and without having to take the endpoint off the network.
Immunize endpoints to buy you time while containing and eradicating the threat without disruption to business operations.
Contain attacks without being intrusive on the endpoint, colliding with existing tools or impacting end user performance
Deploy safeguards across enterprise endpoints within minutes without the need to reboot systems
Read more on how Minerva can help you improve your incident response.
The effectiveness of fileless attacks on the endpoint is keeping many security professionals busy. Since such malware doesn’t write itself to disk, it is highly successful at evading many types of detection, as this is where many security technologies usually look for malware. Even modern endpoint solutions find it hard to spot malware hiding itself in what seems like legitimate processes. From using PowerShell and other administrative tools, to abusing capabilities of web browsers and document files, fileless attacks put endpoints at risk.
Minerva Labs’ Memory Injection Prevention capabilities block fileless and other memory- resident malware from compromising endpoints. Rather than trying to detect fileless threats, Minerva tricks them regarding their ability to access needed resources, such as PowerShell or the targeted process. This stops the attack before any damage is done.
Minerva’s underlying approach is about tricking malware as to its environment to block an attack. Fileless malware does not write anything to disk, rather it tries to hide in memory. By analyzing the series of actions that a piece of code does we will be able to intercept the malicious code and respond with a ‘out of memory space’ or ‘access denied to powershell’ and as such block the attack
before it starts. This, as you know, is in contrast to how other vendors are approaching fileless
malware which is detection-based, relying on behavioral patterns to detect fileless patterns.
This drains resources and results in false positives. Minerva’s passive solution causes malware to break if it attempts to exhibit fileless properties, including attempts to interact with legitimate programs in malicious ways, and attempts to inject code into trusted applications. Minerva ensures that the only code that runs in memory is the code that originated from disk, making fileless attacks ineffective.
Key benefits include:
The addition of Minerva Labs to the endpoint security architecture allows enterprises to:
Prevent fileless malware without relying on behavioral patterns that result in false positives and drain resources
A different and effective approach that ensures that only code that runs in memory is the code that originated from disk, making fileless attacks ineffective
A passive solution that doesn’t impact system performance and works on old and new systems
Prevents fileless attacks that even try to hide in legitimate and trusted applications
This webcast will explain a unique approach to preventing evasive malware from infecting endpoints.Watch >>
Discover the reasons why evasion techniques work, even with a layered defense approach and how to evolve your endpoint protection strategy, to cover the gap.Download >>
See how Minerva Labs’ Anti-Evasion Platform performed in the SANS Institute testDownload >>