The Complete Malware Incident Response Playbook

The Complete Malware Incident Response Playbook

Traditional incident response plans are failing.

Malware infections have become so advanced that some strands can infect a machine undetected, siphon sensitive information and then remove itself in seconds.

Using self-deleting malware, bad actors can steal arbitrary documents, credit card details, credentials and session tokens and then launch a ransomware attack on top of that.

Remediating the impact needs to extend beyond just cleaning the infected devices.

Without addressing the stolen credentials and session tokens, criminals can still bypass MFA, access critical systems, and steal data.

In this article you’ll learn the seven steps needed to fully mitigate malware attacks.

Table of contents:

How to use this playbook

The ramifications of each malware infection are unique, thus this guide should be used as a framework for your organization on how to respond to an attack. While the playbook should be followed sequentially, some overlap will occur between steps.

1. Preparation

  • Determine IR Team Members: Create an incident response team responsible for leading the assessment, containment, and mitigation efforts during an incident.
  • Assign Roles and Responsibilities: Clearly define roles and responsibilities for each team member, e.g. forensic analyst, IT admin, incident coordinator, etc.
  • Identify Extended IR Team Members: Where relevant, include representatives from Legal, Compliance, Human Resources, Public Relations, and Executive Leadership.
  • Define Escalation Paths: Establish clear paths for escalating incidents based on their severity. Examples of this are:
    • Internal Escalation:
      • Level 1: Initial detection and assessment by frontline support or monitoring team.
      • Level 2: Escalation to a more experienced team or manager for further investigation and response.
      • Level 3: Escalation to senior management or executive team if the incident is severe or requires high-level decisions.
    • External Escalation:
      • Contacting external incident response teams, such as a Managed Security Service Provider (MSSP) or cybersecurity consultants, for assistance.
      • Notifying legal counsel or regulatory authorities if the incident involves legal or compliance issues.
  • Evaluate and Secure Backups: Ensure critical system backups are secured and accessible in the event of an incident.

2. Identification

  • Isolate Infected Systems: Immediately isolate infected systems from the network to prevent further spread.
  • Preserve Systems for Forensic Analysis: Avoid powering off machines to preserve forensic evidence. This may be crucial for the next step.
  • Investigate Malware: Analyze malware to determine if it’s running under a user context and disable affected accounts.
  • Analyze Malware Characteristics: Use sandboxed malware analysis systems to determine characteristics for containment. Specifically look for attempts for network connectivity and any files created or modified. These are Indicators of Compromise (IoCs) that should be used to locate additional infected hosts.
  • Identify the initial entry point: Use all logs and IoCs available to search for the initial point of entry as well as the attack vector (email, PDF, malicious software, etc.) used.

3. Containment

  • Close Possible Gaps: Use information from the investigation phase to close entry points.
  • Isolate Additional Infected Hosts: Use IoCs to locate and isolate additional infected devices.
  • Segment network: Where required, further segment your network to contain the malware.
  • Add IoCs to Endpoint Protection: Use IoCs to update endpoint protection and block / alert upon detection.

4. Eradication

  • Preserve Artifacts: Preserve relevant artifacts, systems, and backups. These may be useful in future forensic investigations.
  • Preserve Volatile Data: Preserve virtual machines, log files, backups, memory images, etc., collected during previous phases.
  • Rebuild or Replace Systems: Rebuild or replace systems as necessary. Consider the severity of the infection, the effectiveness of your remediation efforts, the criticality of the systems, and the cost when deciding whether to rebuild or replace the system.

5. Recovery

  • Restore Impacted Systems: Restore impacted systems from clean backups taken prior to infection.
  • Rebuild Impacted Systems: When restoring the system from backup isn’t possible, rebuild the system from a known good image.
  • Remediate Vulnerabilities: Address any vulnerabilities or gaps identified during the investigation.

6. Password Resets

  • Reset Impacted Account Passwords: Reset passwords for all accounts that may have been compromised or involved in the incident. Ensure that employees don’t update their passwords from a malware infected device.
  • Terminate Impacted Session Tokens: Invalidate leaked session tokens within the relevant web applications. Resetting passwords is not enough, when threat actors can bypass both the login and MFA requirement with a valid session token.
  • Implement Multi-Factor Authentication (MFA): Where possible, require MFA for added security when authenticating.
  • Communicate Password Changes: Communicate password changes to affected users and provide guidance on creating strong passwords using a password manager. Ensure that employees don’t create passwords based on a variation of their compromised password.
  • Monitor for Account Activity: Monitor affected accounts for any suspicious activity following the password resets.
  • Review Password Policy: Review and update the organization’s password policy based on lessons learned from the incident.

7. Lessons Learned

  • Conduct Post-Incident Meeting: Discuss what went well, what didn’t in the incident response process. Identify any gaps in the organization’s security that need improvement.
  • Modify Security Procedures: Make necessary modifications to network segmentation, firewall configurations, patching procedures, etc. to prevent future attacks.
  • Create Incident Report: Create both a detailed technical report as well as a high-level executive summary to distribute to the IR team and management.

Related Articles