Have you disabled autoplay for USB devices? Giving files the chance to run without approval is seldom a good idea from a security perspective. It's better to give the user a chance to stop and think about what they're seeing before it launches. Do you use AV software with more-advanced functionality like IPS? While AV software is not intended to deal with brand-new targeted attacks, sometimes they can catch threats based on known suspicious behavior or known software exploits.
Command & Control: The Threat is Checking In
Once a threat has got in to your network, its next task will be to phone home and await instructions. This may be to download additional components, but more likely it will be contacting a botmaster in a Command & Control (C&C) channel. Either way, this requires network traffic, which means there is only one question to ask yourself here: Do you have a firewall that is set to alert on all new programs contacting the network?
If the threat has gotten this far, it's made changes to the machine and is going to require a lot more work from IT staff. Some companies or industries require that forensics be done on the affected machines to determine what data has been stolen or tampered with. And those affected machines will either need to be cleaned or reimaged — it can be less costly and time-consuming if the data has been backed up and there is a standard corporate image that can be quickly replaced onto the machine.
Actions: Time to Wreak Havoc
What the threats do at this point is entirely up to the attacker. It may steal data, it may spew spam or DDoS traffic, or it may steal CPU cycles for other purposes. If the threat has gotten this far, you can count on having to do all the work from the previous stages, but on a larger scale. It may have gone from one machine within the network to many (or all) of the machines in your network, it may have done a lot more damage or stolen a whole lot more data. If nothing has detected the file at this point, you may be dealing with an "Advanced Persistent Threat," which is a fancy way of saying that sufficient security measures were not in place to detect the threat.
Will Kill Chain Tactics Work for Your Organization?
If you don't already have security and visibility built into your corporate environment, this may seem like an impossible hill to climb. But implementing a Cyber Kill Chain doesnt have to be done overnight. Take smaller measures, completing stages as you are able. Do a check of your web presence to see what information it could give an attacker. Have each of your sites do an inventory of all computers so you can update them all. Implement layered security to decrease the possibility that threats will slip through unnoticed. Create a policy for dealing with malware events. Educate your staff about what to do with unexpected, suspicious emails.
With each step taken, you'll get more information about your environment. And the more information you have, the more likely you will be able to identify anomalous behavior.
Sign up for CIO Asia eNewsletters.