Infostealer at your organization? Here's how to respond

If you have indications that an infostealer is active within your organization, this is a serious concern. Infostealers allow attackers to steal login credentials, passwords, and sensitive data from your organization, which can lead to data breaches and hacks.

It is crucial to respond quickly and effectively to prevent further damage. This article provides a step-by-step approach to minimize the impact of the infection and mitigate risks for your organization.

Step 1: Revoke access immediately

When you suspect an infostealer infection, it is vital to act immediately. The infected device may still provide attackers with access to internal systems and data.

What you should do:

• Revoke access rights: Temporarily block the affected user's access to all internal systems and networks.

• Terminate active sessions: Force a logout for all active sessions and invalidate any session tokens. Infostealers may have stolen session tokens and could use them to gain access without needing a password.

  
  

Tip: Make an inventory of all the applications a user has access to. In addition to core login systems, include VPN, HR applications, and financial systems.

Why this step is important:
Blocking access promptly prevents attackers from continuing their operations within your network and systems.

 Step 2: Investigate potential misuse

Once access has been limited, it's time to investigate whether the infostealer has been used to cause harm. This investigation helps assess the scope of the infection and determine the next steps.

Analyze the following signs:

• Unknown logins: check for login attempts from unfamiliar devices or ip addresses.

• Activities at unusual times: look for logins at odd hours, such as the middle of the night or from unexpected geographic locations.

• Access to sensitive data: monitor for unusual activities, such as the opening of files or databases that would not typically be accessed by the user.

• Unusual file transfers: look for large downloads or the copying of sensitive documents.

  
  

Actions for suspicious activity:

• Initiate a forensic investigation to fully understand the extent of the attack. This can help prevent further damage.

Why this step is important:
By gaining quick insight into what may have occurred, you can take focused actions to prevent additional harm.

Step 3: Assist the user in removing the malware

The infected device must be thoroughly cleaned before it can be safely used again. The affected user will need assistance in this process.

What you should do:

• For managed devices: take the device under management and have your it team clean it. Ensure the device is scanned for malware and thoroughly cleaned.

• For unmanaged devices: work with the user or their provider to clean the device. See below for further instructions.

Supporting your colleague:
Responding to an infostealer infection can be a complex and stressful process for many users. Make sure to provide clear instructions and guide the user through the device cleaning process.

For user guidance, you can refer to this helpful guide [internal hyperlink].

Desired outcomes:

• The malware is completely removed from the device.

• The user understands what an infostealer infection means and the potential consequences.

• The user implements additional security measures, such as setting new passwords and securing the device.

• 
  

Only proceed to step 4 once you are confident that the device has been thoroughly cleaned.

Why this step is important:
Removing the malware prevents further damage and minimizes the risk of the device becoming a point of entry for attackers again.

Step 4: Reset passwords

Infostealers are specifically designed to steal passwords and login credentials. All passwords used on the infected device should be considered compromised.

Actions:

• Reset passwords for all systems accessed: start with the most critical systems, such as email, financial applications, and internal portals.

• Assist the user in implementing a password manager: help the user set up a password manager to easily manage secure passwords.

• Enable multi-factor authentication (MFA) where possible: add an extra layer of security by enabling MFA.

Why this step is important:
By resetting passwords and enabling MFA, you prevent attackers from maintaining access to critical accounts, even if they have stolen the login credentials.

Step 5: Evaluate and mitigate future risks

Once the immediate threat has been addressed, it is important to evaluate the infection and implement structural improvements to reduce future risks.

Evaluation points:

• What is the actual impact of the infostealer infection? What are the consequences for the confidentiality, integrity, and availability of data within the organization?

• What potential impact did the infection have? What could the attacker have done with the access they gained?

• How likely is it that infostealers will pose a risk in the future? Are there preventive measures that can be taken to avoid a recurrence?

Possible improvements:

• Limit access from unmanaged devices: consider restricting access to internal environments to managed devices only. This ensures that infostealer infections on personal devices no longer pose a risk.

• Ensure external partners use managed devices: require external partners to access your network only via managed devices.

• Shorten session durations: reduce the lifespan of session tokens to limit the impact of potential future attacks.

• Awareness campaigns: launch a campaign to raise awareness among employees about the risks of infostealers and how to protect themselves. This should cover topics such as the risks of using personal devices for business purposes and how infostealers can be encountered.

• Continuous infostealer monitoring: implement monitoring tools like passguard to detect new infections early so you can take action promptly.

  
  

Why this step is important:
preventing future infections is just as important as addressing the current threat. A proactive approach makes your organization more resilient against future infostealer attacks.

 In conclusion

An infostealer infection is a serious risk, but with a quick and structured response, you can limit the damage and protect your organization. By investing in preventive measures, raising awareness, and maintaining continuous monitoring, you minimize the risk of future incidents.

Need help detecting and resolving an infostealer infection? Reach out to our experts for support.