By taking the time now to get your malware response planning complete and in place, you can save valuable time should an infection hit your network. Sometimes all the preventive care in the world won’t protect your systems from the inevitable malware infection. Security administrators try to be as proactive as possible, applying patches and updates, conducting penetration testing, and establishing usage policies. Unfortunately, sometimes all the preventive care in the world won’t protect your systems from the inevitable infection, be it virus, worm, or some other form of malware.
While it’s imperative to have an overall policy in place, actual malware response planning should depend on the actual event. Malware response planning should not focus on an active attack, instead, it needs to concentrate on the payload left behind on your systems. Malware incidents can cause extensive damage and disruption to a network, and they require costly efforts to restore system security and user confidence.
Stages of Malware Response Planning
Effective malware response planning includes these six stages:
Develop malware-specific incident handling policies and procedures. Conduct malware-oriented training and exercises to test your policies and procedures. Determine whether your procedures work before you actually have to use them.
Detection and analysis
Deploy and monitor antivirus/anti-spyware software. Read malware advisories and alerts produced by antivirus/ anti-spyware vendors. Create toolkits on removable media that contain up-to-date tools for identifying malware, examining running processes, and performing other analysis actions. Plan to take actions to immediately contain an infection. Information must be gathered from the user and about the system to help assess the breadth of the problem.
It’s important to have a system in place that can quickly alert you to a potential infection, rather than waiting for a user to call you with a “my computer is acting funny”. Most enterprise antivirus systems have configurable alerting and reporting. Make sure you set these up, and have them sent somewhere where you will see them. Also, look at alerting thresholds, so you don’t receive too many “false positives”. Which could cause you to ignore a real alert.
Determine the risk to data, performing backups before proceeding with the chosen course of action, if required, and deciding whether to examine the malware’s effects on the system. Also, decide whether to clean the malware, restore system state, or rebuild the system
Be prepared to shut down a server/workstation or block services (e.g., e-mail, Web browsing, or Internet access) to contain a malware incident. Decide who has the authority to make this decision based on the malware activity. Early containment can stop the spread of malware and prevent further damage to systems both internal and external to your network.
If you’ve confirmed an infection on a computer, just go ahead and pull the plug. Worms will often begin scanning the network for other computers to infect. Cryptolocker type ransomware will quickly get to work destroying files on any and all network shares it can find. So just go ahead and pull the network cable, until you can figure out what type of infection you have and how to fix it.
This is a good time to begin your “investigation”. Talk to the user to see if you can determine a source for the infection. If it was an email attachment, check with other users to make sure they didn’t open it. Check your console to see if there are any other instances of this malware on your network. And check any file servers that the user accesses in order to determine any file damages or infections. If so, be sure to isolate the infection before restoring data.
Put the system cleaning plan into effect. Attempting to remove the malware using automated tools such as antimalware products are performed. Be prepared to use a variety of eradication techniques to remove malware from infected systems.
Next, you’ll need to get the infected workstation back up and running. Depending on the severity of the infection, you may be able to clean up the workstation using some standard tools. However, it’s often best to have a procedure in place to start with a fresh install of Windows, which is the safest route, especially after a severe infection.
Restore the confidentiality, integrity, and availability of data on infected systems, and reverse containment measures. This includes reconnecting systems/networks and rebuilding compromised systems from scratch or known good backups. The incident response team should assess the risks of restoring network services, and this assessment should guide management decisions about restoration of services. Attempt g to restore the system state, evaluating the restored system for the effectiveness of malware removal.
If you determine that any shared data was damaged or infected, it’s time to start restoring from backup. Be sure that your short-term backups are still intact, and that your servers aren’t infected. But if you have a good backup solution in place determined during Malware Response Planning, this should be relatively painless.
Gather the lessons learned after each malware incident to avert similar future incidents. Identify changes to security policy, software configurations, and the addition of malware detection and prevention controls. After a malware infection is cleaned up and the damage has been undone, take the opportunity to do a post-mortem. Find out what happened, and how it can be prevented in the future.
When it comes to responding to a malware incident, you can deploy all the detection and monitoring tools on the planet, but you still have to get your users involved. Educate your users on how to identify infections, teach them the steps to take if their system becomes infected, during your malware response planning.
Malware Response Planning Considerations
When deciding which course of action from your Malware Response Planning to take to get the attack under control and restore the system to normal as quickly as possible, consider the following:
- The amount of time required and available to restore the system to normal operations
- The resources needed and available to perform the work
- The expertise and administrative rights of the personnel performing the recovery
- The cost to the business that could result from data loss, exposure, and downtime
- All of these items will influence the decisions and the risk the organisation is willing to accept when responding to and recovering from a malware attack.
Have a question? We’re here to help.
You can reach us through our contact form, by email, or by phone. We will get back to you within 1 business day.
Contact Makarov Intelligence Cyber & Risk Management