Malware strategy: Prevent, Contain, Recover

The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at and repair. — Douglas Adams

We as people in IT and as people in business need to get over the idea that we can stop 100% of those out to do us harm 100% of the time. We can’t. We need to acknowledge that we will do the best we can to protect our organizations, our customers and ourselves, but that there are others who see us as prey that present them with opportunities to reap some ill-gotten gains.

If you accept that some others — maybe not all others, but some others — will attack your company’s systems, then you should plan to do three things: Prevent the attacks as best you can, contain the ones that happen, and then recover and continue operating.

Prevent

You are never going to be able to defend successfully against every possible attack on your company’s people and its infrastructure. Attackers have too much time and too many resources. Your environment is only as strong as its weakest link, and some of the software you run has some pretty weak links. Even if you defend against everything you can, eventually you or one of your company’s employees will make a mistake.

This doesn’t mean you crawl under your bed with a flashlight and a bottle of aspirin. You should educate yourself and your users about what to watch for, and you should deploy as much defensive technology as you can afford. But you need to consider the next step: Contain.

Contain

If you have been attacked successfully, you need to move to contain both the attack and the damage it is causing and could cause. Depending on what got through your defenses, your actions at this stage will vary.

If the attack is limited to a specific user or to a specific system, then your goal is to keep it to that user or system. If you have a laptop that is infected with malware, you should seek to limit the impact on the organization by separating that laptop from your network and by making sure that the source of the infection is not elsewhere in your systems.

If the attack has already moved more pervasively into your environment, then you should seek to keep it from moving to your customers and to your business partners. Planning for these eventualities before they happen is your best defense.

Once you have successfully contained the attack, you are ready for the next step: Recover.

Recover

For a simple attack — say, one that succeeded against a single PC — it may be sufficient to restore from backup and then remind your full user base about safe practices. For more complicated incidents, you may have to rebuild servers and restore applications. Part of the recovery process may involve commercial or legal activities, because you may need to pay service level agreement penalties for being down or purchase identity monitoring if personal data was compromised.

Regardless of what got through your defenses and how, you should take the time to learn from the attack and to remind your users that they play a role in keeping the organization safe. Much like a neighborhood watch, your users can be a last line of defense against or an early warning of trouble.

If you plan for just about anything going wrong, you should at least be able to recover and repair the damage when things do happen.