What threat response entails, and how VIPRE Cloud can bolster your defenses against different types of threats. It also gives direction on where to begin investigating when threats do occur.
Monitoring Threats
VIPRE provides a couple of handy ways to alert you to newly-discovered threats: you can look for them in our dashboard or you can have threat notifications delivered to you via email (as either real-time threat alerts or a daily threat summary). The email alert channel is a great way to stay on top of threats as they happen, and reduces the need to spend time proactively working with the console. Email alerts however allow you to instantly drill down on relevant data, which leads you right back into the console where you can respond to and remediate the discovered threats. Our discussion here will focus on using the dashboard to monitor and respond to threats, whether you are brought to the dashboard by an alert or go there directly.
Monitoring Threats with the Dashboard
The first line of defense in responding to threats involves keeping a close eye on the information displayed in the VIPRE dashboard. Use the dashboard to drill down and view the appropriate level of detail when investigating or remediating quarantined threats in your environment.
Some of the most common threats include
- Email-based threats
- Network-based threats
- Device-based threats
Email-based Threats
The most common type of malware attack is sourced from email messages. Malware authors attempt to coerce users into triggering attacks through the use of malicious attachments or suspect URLs. Attackers use these email techniques in order to gain a foothold on the endpoint system.
If VIPRE discovers a suspicious file attachment or URL in an email, it will remove and quarantine the attachment or replace the URL with a warning, thereby eliminating the risk that an inattentive user might click on the threat.
Network-based Threats
Malicious links in email or suspicious websites can trigger network-based exploits. There are also direct network exploits, such as a recent Server Message Block (SMB) exploit leveraged in the WannaCry ransomware breakout. Any over the air attack on a network device (man in the middle, Bluetooth attack, packet sniffing) is also considered a network-based threat.
VIPRE will block many types of network-based threats and prevent network traffic from entering a target device. No action is typically required in this case.
Device-based Threats
A device based attack involves the activating of malicious content on a device. This could occur through the transferring a file from a physical device, such as a USB flash drive, or from a remote file share.
File-based threats found on a device will be quarantined, and processes behaving in a malicious manner will be stopped. Quarantined threats should be reviewed regularly and action is taken to delete the threat or, in the case of a rare false positive, unquarantine the threat.
Respond to Threats
To respond to threats, be sure to monitor real-time threat data under the VIPRE dashboard or the Quarantine screen. In the Quarantine screen, you can search for threats according to their severity, category, or threat source.
In the VIPRE dashboard, be sure to watch the following areas for indicators that something is amiss.
To protect your environment, VIPRE Cloud filters suspicious threats and displays the information on the Quarantine screen. Use the Quarantine screen to perform any of the following tasks
- View threat detail
- Delete a threat
- Search for threats
- Ignore a threat
Threat Severity Levels
Detected threats are assigned a severity level which is useful for triage. The levels, which are described below, are labeled as Severe, High, Elevated, Moderate, Low, and Unknown.
Severity level | Description |
Severe | Severe risks are typically installed without user interaction through security exploits and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and botnets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files or spreading to other networked machines. A severe risk should be seriously considered for immediate removal as it may completely compromise your privacy and security by allowing an attacker to remotely control your machine, exploit it for illicit purposes, or make dangerous changes to your computer without your knowledge or consent. |
High | High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer. High risk should be seriously considered for immediate removal as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge or consent; or severely degrade your computer's performance and stability. |
Elevated | Elevated risks are typically installed without adequate notice and consent, and may make unwanted changes to your system, such as reconfiguring your browser's homepage and search settings. These risks may install advertising-related add-ons, including toolbars and search bars, or insert advertising-related components into the Winsock Layered Service Provider chain. These new add-ons and components may block or redirect your preferred network connections, and can negatively impact your computer's performance and stability. Elevated risks may also collect, transmit, and share potentially sensitive data without adequate notice and consent.An elevated risk should be considered for removal or remain quarantined as it may compromise your privacy and security, make unwanted changes to your computer's settings, or negatively impact your computer's performance and stability. |
Moderate | Moderate risks are often bundled with functionally unrelated software or installed without adequate notice and consent and may display unwanted advertising on the user's desktop. Such risks may track users' online browsing habits and transmit non-personally identifying data back to a server in order to target advertising. These risks may be configured to start automatically with the operating system, use an auto-updater that the user cannot control, or install other functionally separate programs without adequate notice and consent. A moderate risk should be considered for removal or remain quarantined as it may negatively impact your privacy and security or make unwanted changes to your computer's settings. |
Low | Low risks should not harm your machine or compromise your privacy and security unless they have been installed without your knowledge and consent. A low risk may be a program, network tool, or system utility that you knowingly and deliberately installed and that you wish to keep. Although some low-risk programs may track online habits -- as provided for in a privacy policy or End User License Agreement (EULA) -- or display advertising within the applications themselves, these programs have only vague, minimal or negligible effects on your privacy. Low risks may also be cookies, which can be used to track your online activities, though without identifying you personally. A low risk may be kept or removed at your discretion. A low risk has only vague or minimal privacy and security effects. If this is a program that you knowingly and deliberately installed, you may consider keeping it. If it is a cookie, then you may consider removing it. |
Unknown | Unknown is assigned to threats that may not have enough intel, or metadata, to be able to determine the appropriate severity level. For those threats, rather than assign a level that may not be appropriate, VIPRE assigns them to Unknown so that Administrators or Threat Researchers know to review these as carefully as the threats reported at the higher severity levels. |
Further Investigation
Since VIPRE proactively blocks threats before targeted devices are impacted, most threat response is limited to cleaning out the quarantine and handling the occasional false positive. However, there are a few circumstances where the additional investigation might be desirable:
- In some cases, VIPRE is not able to completely clean up all files related to a specific threat, for example, if locked files are in use, etc. In this scenario, additional action may be required on the affected machine to finalize the threat clean up.
- You may discover that a particular device or user seems to be repeatedly affected by threats again and again. This could be caused by system misconfiguration, user carelessness, or some underlying, undetected problem. If you see repeated infections of a particular target system (the timeline device view is a good way to discover this), you may wish to look more deeply at the underlying causes.