SpyCloud Compass identifies infected devices that access critical workforce applications

SpyCloud Launched Compass, a transformational solution to help organizations detect and respond to the initial precursors to ransomware attacks.

SpyCloud compass

Compass provides conclusive proof that data stolen through malware infections is in the hands of cybercriminals and provides a comprehensive incident response approach to malware-infected devices, known as post-infection remediation.

Application credentials and cookies stolen from infected employees’ and contractors’ machines are often used by ransomware operators and initial access brokers (IABs) to identify targets and infiltrate corporate networks undetected.

As remote workers and contractors increasingly blur the lines between managed and unmanaged device use, malware infections on employee-owned systems enable cybercriminals to bypass traditional ransomware protection solutions, including endpoint protection. Every time an employee signs into work on an infected device, bad actors have an easy path to workforce applications used for single sign-on (SSO) authentication, remote access gateways, virtual private networks, code repositories, accounting applications, and other critical business systems. .

In the 2022 SpyCloud Ransomware Defense Report, 87% of organizations surveyed raised concerns about information-penetrating malware on unmonitored devices creating entry points for ransomware. Even with this concern, most companies allow employees to access company applications on unmanaged personal devices, and rely on vendors and contractors with BYOD policies or lax controls on managed devices, which expands the attack’s scope for adversaries to take advantage of.

Security Operations Center (SOC) teams can use SpyCloud Compass to determine when devices, applications, and users are compromised by malware, even if the infected device or business application is outside of the company’s supervision. Incident responders can visualize the scope of each threat at a glance, and quickly see all the necessary details needed for remediation. This reduces the legal work of investigating the potential impact of a compromised device, enabling them to quickly move from detection to response.

With post-infection remediation, a comprehensive approach to handling malware infections, security professionals now have a series of steps they can include in traditional incident response playbooks to appropriately mitigate the chances of ransomware and other cyberattacks by resetting application credentials. and revoke session cookies that have been hijacked by malware infostealer.

“Once malware compromises a piece of data, not only does that data disappear — but many companies fail to recognize the long-term importance of their ransomware risks,” he said. Ted Ross, CEO of SpyCloud. “Compass is designed to solve this problem. It reduces enterprise vulnerability by arming the security team with knowledge of which infected devices are accessing critical workforce applications. Without addressing these vulnerabilities, the door is open for attackers to access, steal, encrypt, and even wipe corporate data.”

A stand-alone SpyCloud solution with the ability to support post-infection recovery and prevent cybercriminals from launching a full-blown cyberattack. Based on the information cybercriminals have gained from the compromised malware infection, security teams can now properly address the compromised entry points – dramatically shortening the period of exposure to ransomware.

“The post-infection remediation process is often overlooked when it comes to malware remediation,” said Ross. “Wiping the infection from the device may break contact with the criminal, but it does not address authentication and access to data they have already stolen. Post-infection remediation is now a requirement for organizations looking to address vulnerabilities in their ransomware prevention framework.”

SpyCloud Compass enables organizations to:

  • Reduce ransomware risk by identifying hard-to-detect malware infections that provide bad actors with entry points
  • Identify threats outside the company’s control, such as personal devices infected with employee and vendor malware that were used to access workforce applications
  • Shorten incident response times when investigating the potential impact of an infected device
  • Reduce long-term malware risks by taking incident response beyond standard device remediation
  • Highlight hacked and previously unseen assets including credentials and cookies for third party applications such as SSO, VPN, CRM, etc.
  • Focus on high-priority threats based on specific indicators of malware-infected devices and exposed applications on corporate networks

Leave a Comment