Malware Incident Response Playbook

Download your free copy now

Since security incidents can occur in a variety of ways, there is no one-size-fits-all solution for handling them.

Please use these response guides as a framework for your business to respond in the event of a potential threat.

A malware incident can be crippling to a business, and it’s crucial to respond to the issue as soon as possible, due to how rapidly it can spread. This malware incident response playbook gives you step-by-step help in the event of a malware incident.

Free Resource

Download our free Malware Incident Response Playbook now.

DOWNLOAD TEMPLATE

Purpose

To guide in responding to a malware incident.

How to Use This Playbook

The steps in this playbook should be followed sequentially where appropriate. With many steps in the Containment, Eradication, and Recovery steps, some overlap may occur and is expected.

Preparation

Note: Preparation steps should primarily be completed prior to an event or incident. If the playbook is being accessed during an event or incident you may proceed to Preparation Step 4b.

Determine the members of the Cybersecurity Incident Response Team (CSIRT).
1. The core CSIRT members should be comprised of individuals responsible for cybersecurity only.
  1. This may include some members of Information Technology roles, depending on the organization size.
  2. The limited size of the core CSIRT is to assist with confidentiality and efficiency.
  3. The core CSIRT may be activated often to investigate security events that may or may not result in an incident.
2. Assign roles and responsibilities to each member.
Determine extended CSIRT members.
1. This will often be Legal, Compliance, Public Relations, and Executive Leadership.
Define escalation paths.
1. Incidents may start as events, or as a lower impact/severity and then increase as more information is gathered. Establishing an escalation path is critical to success.
Evaluate and secure critical system backups.
1. Backups should be secured prior to any incident.
2. During the initial stages of any incident, evaluate and confirm that backups are secure and not impacted by the incident.

Identification

Isolate infected systems ASAP.
1. DO NOT power off machines, as forensic artifacts may be lost.
2. Preserve the system(s) for further forensic investigation including log review, MFT analysis, deep malware scans, etc.
  1. These steps should be performed during the Identification phase to guide the investigation.
Investigate malware to determine if it’s running under a user context.
1. If so, disable this account (or accounts if multiple are in use) until the investigation is complete.
Analyze the malware to determine characteristics that may be used to contain the outbreak.
1. If available, use a sandboxed malware analysis system to perform analysis.
  1. Note: Network connectivity should not be present for this sandbox system except in very rare circumstances. Network activity from malware may be used to alert an attacker of your investigation.
  2. Observe any attempts at network connectivity, note these as Indicators of Compromise (IoCs)
  3. Observe any files created or modified by the malware, note these as IoCs.
  4. Note where the malware was located on the infected system, note this as an IoC.
  5. Preserve a copy of the malware file(s) in a password protected zip file.
2. Use the PowerShell “Get-FileHash” cmdlet to get the SHA-256 hash value of the malware file(s).
  1. This hash may also be used to search for community information regarding this malware (i.e. VirusTotal, Hybrid-Analysis, CISCO Talos, etc.)
  2. Additional hash values (SHA1, MD5, etc.) may be gathered to better suit your security tools.
  3. Note these hash values as IoCs.
3. Use all IoCs discovered to search any available tools in the environment to locate additional infected hosts.
Use all information and IoCs available to determine if the malware is associated with further attacks.
1. i.e. Emotet, Trickbot, and Qakbot are often involved in Ryuk ransomware attacks.
2. If further attacks are associated, gather all additional information available on these attacks to further the investigation.
Use all information and IoCs available to search for the initial point of entry.
1. Determine the first appearance of the malware.
2. Determine the user first impacted by the malware.
3. Investigate all available log files to determine the initial date and point of infection.
4. Analyze all possible vectors for infection.
  1. Focus on known delivery methods discovered during malware analysis (email, PDF, website, packaged software, etc.).

Containment

Use the information about the initial point of entry gathered in the previous phase to close any possible gaps.
1. Examples: Firewall configuration changes, email blocking rules, user education, etc.
Once the IoCs discovered in the Identification phase have been used to find any additional hosts that may be infected, isolate these devices as well.
Add IoCs (such as hash value) to endpoint protection.
1. Set to block and alert upon detection.
Submit hash value to community sources to aid in future detection.
1. NOTE: Clear this process with legal/compliance representatives during each incident, as each malware situation will be different.
If additional further attacks were noted as associated with the malware, use IoCs and threat-intel to apply additional controls to prevent the attack from escalating.
Implement any temporary network rules, procedures and segmentation required to contain the malware.
If additional accounts have been discovered to be involved or compromised, disable those accounts.

Eradication

Preserve artifacts, systems, and relevant backups according to the sensitivity and scale of the incident. These may be important for future forensics.
1. If rebuilding or replacing physical systems, preserve physical hard disks, solid state drives, or forensically sound images of those storage drives.
2. If rebuilding or replacing virtual machines, preserve a copy, full (independent) snapshot, or a backup of the system.
Preserve any volatile data that may have been collected during the identification and containment phases.
1. This may include log files, backups, malware samples, memory images, etc.
Once all relevant data, equipment, and/or systems have been preserved, replace, or rebuild systems accordingly.

Recovery

Restore impacted systems from a clean backup, taken prior to infection if these backups are available.
For systems not restorable from backup, rebuild the machines from a known good image or from bare metal.
Remediate any vulnerabilities and gaps identified during the investigation.
Reset passwords for all impacted accounts and/or create replacement accounts and leave the impacted accounts disabled permanently.
Continue to monitor for malicious activity related to this incident for an extended period.
1. Alerts should be configured to aid in quick detection and response.

Lessons Learned

Conduct a meeting after the incident to discuss the following:
1. What things went well during the investigation?
2. What things did not go well during the investigation?
3. What vulnerabilities or gaps in the organization’s security status were identified?
  1. How will these be remediated?
4. What further steps or actions would have been helpful in preventing the incident?
5. Do modifications need to be made to any of the following:
  1. Network segmentation
  2. Firewall configuration
  3. Application security
  4. Operating System and/or Application patching procedures
  5. Employee, IT, or CSIRT training
Create and distribute an incident report to relevant parties.
1. A primary, and more technical, report should be completed for the CSIRT.
2. An executive summary should be completed and presented to the management team.