To reduce the probability and impact of rootkit infection, organizations should take the following proactive steps:
1. Do not ignore the threat and do not rely entirely on deployed anti-virus or host security systems.
2. Develop and implement a plan to analyze the current state of all systems.
3. Establish proactive procedures for maintaining an expanding defense against rootkit installation attempts, including policies and end-user communication.
4. Create a plan to analyze any infections that occur.
Kevin Mandia, president and CEO of MANDIANT, notes two essential capabilities for discovering rootkits in the enterprise: "the ability -- tools and technology -- to detect the rootkit's network traffic via network security monitoring; and the ability to perform a sophisticated host-based console review, [making sure you're] able to conclude that the host-based review did not identify the process that is generating the suspicious network traffic."
For organizations looking for added protection against rootkits, enlisting the assistance of security experts is a worthwhile idea. MANDIANT, for one, provides incident-response software and professional services, enabling organizations to tap experts when developing risk-mitigation strategies and when responding to incidents to determine what data was lost and how the attack entered and evolved.
Unfortunately, too many organizations will wait until they have lost data and have exposed themselves to great financial harm before taking steps. Don't be one of them.