SpyCloud Compass identifies infected devices accessing critical workforce apps

SpyCloud launched Compass, a transformative solution to help enterprises detect and respond to the initial precursors to ransomware attacks.

SpyCloud Compass

Compass provides definitive evidence that data siphoned by malware infections is in cybercriminals’ hands and provides a comprehensive approach to incident response for malware infected devices, known as Post-Infection Remediation.

Application credentials and stolen cookies from infected employee and contractor devices are often used by ransomware operators and Initial Access Brokers (IABs) to identify targets and infiltrate corporate networks undetected.

As remote workers and contractors increasingly blur the lines between managed and unmanaged device usage, malware infections on employee-owned systems enable cybercriminals to sidestep traditional ransomware protection solutions, including endpoint protection. Every time an employee logs into work on an infected device, bad actors have an easy path to workforce applications used for single-sign on (SSO) authentication, remote access portals, virtual private networks, code repositories, accounting applications, and other critical business systems.

In the 2022 SpyCloud Ransomware Defense Report, 87% of organizations surveyed showed concern about infostealer malware on unmonitored devices creating entry points for ransomware. Even with this concern, most businesses allow employees to access corporate applications on unmanaged, personal devices, and rely on vendors and contractors with BYOD policies or lax controls on managed devices, extending the attack surface for adversaries to capitalize on.

Security Operations Center (SOC) teams can use SpyCloud Compass to identify when devices, applications, and users are compromised by malware, even if the infected device or business application falls outside of corporate oversight. Incident responders can visualize the scope of each threat at-a-glance, seeing all the necessary details needed to quickly remediate. This reduces the legwork of investigating the potential impact of a compromised device, enabling them to move quickly from detection to response.

With Post-Infection Remediation, a comprehensive malware infection remediation approach, security professionals now have a series of steps they can include in their traditional incident response playbooks to properly mitigate opportunities for ransomware and other cyberattacks by resetting the application credentials and invalidating session cookies siphoned by infostealer malware.

“Once a piece of data is compromised by malware, that data doesn’t just go away – but many companies fail to fully realize the long-term significance to their ransomware risk,” said Ted Ross, CEO of SpyCloud. “Compass was designed to solve this problem. It reduces the enterprise’s exposure by arming the security team with knowledge of the infected devices accessing critical workforce applications. Without addressing these exposures, the door is open for attackers to access, steal, encrypt, and even wipe corporate data.”

SpyCloud’s solution stands alone with the capability to support Post-Infection Remediation and prevent cybercriminals from launching a full-blown cyberattack. Acting on the information cybercriminals have gained from an infostealer malware infection, security teams can now properly remediate at-risk entry points – significantly shortening the ransomware exposure window.

“The Post-Infection Remediation process is frequently overlooked when it comes to addressing malware,” Ross said. “Wiping the infection off a device may sever the connection with the criminal, but it doesn’t address the authentication and access data they’ve already stolen. Post-Infection Remediation is now a requirement for organizations looking to address the gaps in their ransomware prevention framework.”

SpyCloud Compass enables organizations to:

  • Reduce their risk of ransomware by identifying hard-to-detect malware infections that provide bad actors with entry points
  • Identify threats outside of corporate control, such as employees’ and vendors’ malware-infected personal devices that have been used to access workforce applications
  • Shorten incident response times when investigating the potential impact of an infected device
  • Mitigate long-term malware risks by taking incident response beyond standard device remediation
  • Illuminate previously unseen compromised assets including credentials and cookies for third-party applications like SSO, VPN, CRM, etc.
  • Focus on high-priority threats based on definitive indicators of malware-infected devices and exposed applications on corporate networks

Leave a Comment