Malware Incident Response Planning

Planning for incidents is absolutely critical to your business and it should consist of a clear set of policies and procedures which are available to those within your team.  There should be a clear policy for applying patches and updates, acceptable use policies and backup plans.  This is all proactive.  The reactive side to incident response planning will detail specific procedures in the event of some form of incident occurring.  This can include a range of issues such as network intrusion, denial of service attacks, network outage, malware attacks, server crashes, web server attacks, physical interference, fire, flooding… the list is virtually endless.

In this post, I focus on Malware which can be hugely impactive, costly and disruptive.  The very worst attacks can destroy an entire network if not managed correctly.

What is Malware?

There are different categories of malware which can include:

Viruses – Self replicating code that copies itself into host programs or data files.  They can attack the operating system and also applications.

Worms – Self replicating code, however a worm is a self-contained program that executes without user intervention.  They do not require any host program in order to spread.

Trojan Horses – Self contained code, but it does not self-replicate.  They often deliver other attack tools to systems.  Commonly these malicious files are distributed via social engineering attacks, where users are tricked/persuaded into executing them.  It may appear to a victim that there has been no affect.

Ransomware – This holds a computer system captive whilst demanding a ransom.  It locks and encrypts all files on the system, and often displays a message demanding payment in a Cryptocurrency.  It provides a deadline to the user.  The attackers state they will release the encryption keys if the payment is made in time, however if payment is not received the encryption key is deleted.

Rootkit – this allows remote access and control to the victims computer without detection by the user.  Attackers can remotely execute files, steal information, modify system settings and almost anything they wish.

Bots and Botnet – a computer that is infected with malware can become part of a Botnet (a network of bots) where they are commonly used in large scale DDoS attacks.

Incident Planning and Response

Preparation – as stated previously, planning and preparing for an incident is vital.  If you’ve not done this and you do suffer an incident, you will seriously feel the consequences, particularly if valuable, private and sensitive information is stolen or deleted.  Training for users should be regular and awareness increased.  Things such as regular reminders from IT about not clicking on links, opening attachments from outside the business, posters up in the corridors, anything that will help to reinforce the message.  A response plan should also be drafted and tested.  Testing to different levels as well, peer reviews are beneficial.  Performing drills with your team to create a test exercise can expose issues with the plan.  Regular patching of the system, updates, version checks and an awareness of the security landscape is a must.  Baseline images to be ready in the event that machines have to be reset or repaired.

Detection and Analysis – Using anti virus software, end point protection and firewalls can assist in detection.  Security staff who are familiar with the systems can spot abnormalities, such as high levels of traffic through an odd port, or lots of activity outside of office hours.  Use toolkits to scan devices for malware, identifying running processes, check autoruns, scheduled tasks, registry changes and activity through ports for any unusual traffic.

Containment – Isolation of a device, particularly end points is an easy win and can help prevent further spreading of the malware.  The use of VLANs can help segregate parts of the network.  Shutting down services and ports which are not business critical and adjusting firewall egress/ingress settings is a good approach.  Identify if the malware is on the wire, moving around the system, or is it contained within one machine.

Eradication and Recovery – Resetting machines and destruction of hard drives in the most severe cases.  Restore the confidentiality, integrity and data on the infected systems.  Use known good backups to restore the network to a healthy state.  Update IDS/IPS and SIEM systems and also conduct research on the malware to try to establish further information about it.

Report – this is critical, points to learn from and improvements for next time. Recommendations for changes of the incident response plan.  Document the incident, how it began, the scale, who dealt with it, which hosts were affected, what services, financial impact, loss suffered to the business, was the incident made public?

Final Thoughts

Once again, planning is key and so too is user awareness.  Malware infections often spread via emails, from attachments, external and malicious links and USB sticks being plugged in.  Some of these can be enforced through good security hygiene.  Consider what is proportionate within your business and take measures now in order to reduce the chance of issues at a later date.