While conducting incident response work, Mandiant encounters security teams and executives who seem to focus on malware as the defining feature of a compromise. These groups think that the scope of an incident depends on knowing where the intruder installed malware. Knowing where malware was used, and how it was used, is indeed important for effective incident response. Unfortunately, knowledge of malware, however complete, is only half the picture.
When detecting, responding to, and containing intrusions, the "scope" of the incident is a key consideration. Scope refers to the extent of the compromise. How much of the enterprise is under adversary control? How much of the enterprise did the intruder access? How much data was viewed, stolen, altered, or otherwise manipulated? The answers to these questions will guide the tempo and nature of any remediation activity.
Mandiant's previous reporting on incident scope and malware prevalence indicate that intruders use malware to reach approximately half of all the systems with which they interact, on average. In other words, if you find every single system compromised by malware, and use no other means to determine incident scope, you will miss 50% of the intrusion.
Missing that 50% has terrible consequences. An enterprise that uses a malware-focused remediation quickly learns that they have failed to remove the intruder. Repeated malware-focused remediation efforts will continue to fail.
It makes sense from the intruder's point of view to abandon malware as quickly as possible. It's much more effective for the intruder to adopt the same means of access that regular employees use - credentials, virtual private network access, and the like. These means of access are supported by the organization and difficult to audit for unauthorized access, depending on the size and complexity of the organization.
The bottom line is that scoping incidents requires looking not just at malware, but at all indicators of compromise. Only by taking a more holistic approach will organizations rapidly and effectively detect, respond to, and contain intrusions.