Incident-specific playbooks provide incident managers and stakeholders with a consistent approach to follow when remediating a cyber incident. Playbooks describe the activities of those directly involved in managing specific cyber incidents.
Malware Playbook is to define activities that should be considered when detecting, analyzing, and remediating a malware incident. The playbook also identifies the key stakeholders that may be required to undertake these specific activities.
1.Prepration
Prepration objectives:
The preparation phase has the following objectives:
- Prepare to respond to a cyber security incidents in a timely and effective manner;
- Prepare organizational assets for malware outbreak;
- Inform employees of their role in remediating a malware incident including reporting mechanisms.
Activities may include, but are not limited to:
- Determine the members of the Cybersecurity Incident Response Team (CSIRT) and extended CSIRT members.
- Review and rehearse cyber incident response procedures including technical and business roles and responsibilities, and escalation to major incident management where necessary.
- Ensure appropriate access to any necessary documentation and information, including out-of-hours access, Network Architecture Diagrams, Data Flow Diagrams and etc.
- Define escalation paths.
- Incidents may start as events, or as a lower impact/severity and then increase as more information is gathered. Establishing an escalation path is critical to success
- Define Threat and Risk Indicators and Alerting patterns within the organization’s security information and event management (SIEM) solution.
- Conduct regular awareness campaigns to highlight information security risks faced by employees
- Evaluate and secure critical system backups.
- During the initial stages of any incident, evaluate and confirm that backups are secure and not impacted by the incident.
2.Identification
Identification or Detection objectives
The detection phase has the following objectives:
- Detect and report a breach or compromise of the confidentiality, integrity, or availability of organizational data;
- Complete initial investigation of the malware;
- Report the malware formally to the correct team as a cyber incident.
Activities may include, but are not limited to:
- Common signs of malware infection may include:
- Significant decrease in device(s) performance
- Inexplicable high CPU/Disk usage
- Unknown program/service running in the background
- Inexplicable device(s) behaviors
- Unknown application installed on devices
- Unexplained internet activities (suspicious search results, browsers having unknown extensions)
- Monitor detection channels, both automatic and manual, customer and staff channels for the identification of a malware attack, including:
- Monitor and review any output of critical SIEM’s alert and dashboard
- Anti-malware system notifications to the IT team;
- User notification to the Service Desk;
- Any other notification that raises suspicion of a malware incident.
- Collate initial incident data including as a minimum for the following;
- A timeline of when the malware was first detected, and other significant events.
- Whether the malware was detected by the anti-malware solution, or identified through other means.
- The probable scope of the infection, in terms of the systems and/or applications, affected.
- Whether the malware appears to be spreading across the infrastructure.
- The probable nature of the malware infection, if known.
- Whether the anti-malware solution has successfully quarantined/cleansed the infection.
- Likely containment options (e.g. on the basis of publicly-available information, for known malware).
- Triage, report, and escalate the incident
If the percentage of being a true malware incident is high, you should Isolate infected systems ASAP.
- DO NOT power off machines, as forensic artifacts may be lost.
- Preserve the system(s) for further forensic investigation including log review, MFT analysis, deep malware scans, etc.
3.Analyze
Analyze objectives
The analysis phase has the following key objectives:
- Analyze the cyber incident to uncover the scope of the attack;
- Identify and report potentially compromised data and the impact of such a compromise;
- Establish the requirement for a full forensic investigation;
- Develop a remediation plan based upon the scope and details of the cyber incident.
Activities may include, but are not limited to:
- Investigate malware to determine if it’s running under a user context.
- If so, disable this account (or accounts if multiple are in use) until the investigation is complete.
- Execute the malware in a secure environment or sandbox, segregated from the business network, to determine its behavior on a test system, including created files, launched services, modified registry keys, and network communications.
- Likely containment options (e.g. on the basis of publicly-available information, for known malware).
- Scope the attack.
- A timeline of when the malware was first detected, and other significant events.
- Whether the malware was detected by the anti-malware solution, or identified through other means.
- The probable scope of the infection, in terms of the systems and/or applications, affected.
- Whether the malware appears to be spreading across the infrastructure.
- The probable nature of the malware infection, if known.
- Whether the anti-malware solution has successfully quarantined/cleansed the infection.
- Determine the first appearance of the malware.
- Determine the user first impacted by the malware.
- Investigate all available log files to determine the initial date and point of infection.
- Analyze all possible vectors for infection.
- Focus on known delivery methods discovered during malware analysis (email, PDF, website, packaged software, etc.).
- Analyze the malware to determine characteristics that may be used to contain the outbreak.
- If available, use a sandboxed malware analysis system to perform the analysis.
- Note: Network connectivity should not be present for this sandbox system except in very rare circumstances. Network activity from malware may be used to alert an attacker of your investigation.
- Observe any attempts at network connectivity, note these as Indicators of Compromise (IoCs)
- Observe any files created or modified by the malware, note these as IoCs.
- Note where the malware was located on the infected system, note this as an IoC.
- Preserve a copy of the malware file(s) in a password-protected zip file.
- Use the PowerShell “Get-FileHash” cmdlet to get the SHA-256 hash value of the malware file(s).
- This hash may also be used to search for community information regarding this malware (i.e. VirusTotal, Hybrid-Analysis, CISCO Talos, etc.)
- Additional hash values (SHA1, MD5, etc.) may be gathered to better suit your security tools.
- Note these hash values as IoCs.
- Use all IoCs discovered to search any available tools in the environment to locate additional infected hosts.
- If available, use a sandboxed malware analysis system to perform the analysis.
- Use all information and IoCs available to determine if the malware is associated with further attacks.
- e. Emotet, Trickbot, and Qakbot are often involved in Ryuk ransomware attacks.
- If further attacks are associated, gather all additional information available on these attacks to further the investigation.
- Review affected infrastructure for indicators of compromise derived from the malware analysis to identify any additional compromised system(s).
4.Containment
Containment objectives
Contain the effects of the malware on the targeted systems
Activities may include, but are not limited to:
- Suspend the login credentials of suspected compromised accounts.( If additional accounts have been discovered to be involved or compromised, disable those accounts)
- Implement any temporary network rules, procedures and segmentation required to contain the malware, Determine whether the malware appears to be attempting to communicate with outside parties (e.g. attempting to connect to botnet command and control servers on the public internet), and take steps to block any such communication.
- Add IoCs (such as hash value) to endpoint protection.
- Initiate an estate-wide anti-malware scan.
- Set to block and alert upon detection.
- Submit hash value to community sources to aid in future detection.
- Use the information about the initial point of entry gathered in the previous phase to close any possible gaps.
- Identify the infected assets(s) and physically disconnect them from the network Replacing disconnected devices with fresh builds(ensuring they first have relevant updates applied).( Once the IoCs discovered in the Identification phase have been used to find any additional hosts that may be infected, isolate these devices as well.)
4.Eradicate
Eradicate objectives
Eradicate the malware from the network through agreed mitigation measures;
Activities may include, but are not limited to:
- Complete an automated or manual removal process to eradicate malware or compromised executables using appropriate tools.
- Conduct a restoration of affected networked systems from a trusted back up.
- Continue to monitor for signatures and other indicators of compromise to prevent the malware attack from re-emerging.
5.Recovery
Recovery objectives:
Recover affected systems and services back to a Business As Usual (BUA) state.
Activities may include, but are not limited to:
- Recover systems based on business impact analysis and business criticality.
- Remediate any vulnerabilities and gaps identified during the investigation.
- Complete malware scanning of all systems, across the estate.
- Re-set the credentials of all involved system(s) and users account details.
- Restore any corrupted or destroyed data.
- Restore any suspended services.
- Restore impacted systems from a clean backup, taken prior to infection if these backups are available.
- For systems not restorable from backup, rebuild the machines from a known good image or from bare metal.
- Establish monitoring to detect further suspicious activity.
- Co-ordinate the implementation of any necessary patches or vulnerability remediation activities.
6.post incident
post-incident objectives:
- Complete an incident report including all incident details and activities;
- Complete the lessons identified and problem management process;
- Publish appropriate internal and external communications.
Activities may include, but are not limited to:
The post-incident activities phase has the following objectives:
- Complete an incident report including all incident details and activities;
- Complete the lessons identified and problem management process;
- Publish appropriate internal and external communications.
Create and distribute an incident report to relevant parties, Draft a post-incident report that includes the following details as a minimum:
- Details of the cyber incident identified and remediated across the network to include timings, type and location of incident as well as the effect on users;
- Activities that were undertaken by relevant resolver groups, service providers and business stakeholders that enabled normal business operations to be resumed;
Recommendations where any aspects of people, process or technology could be improved across the organisation to help prevent a similar cyber incident from reoccurring, as part of a formalised lessons identified process.
Conduct a meeting after the incident to discuss the following:
- sharing lessons identified with the wider stakeholders where relevant
- Do modifications need to be made to any of the following:
- Network segmentation
- Firewall configuration
- Application security
- Operating System and/or Application patching procedures
- Employee, IT, or CSIRT training
- What things went well during the investigation?
- What things did not go well during the investigation?
- What vulnerabilities or gaps in the organization’s security status were identified?
- How will these be remediated?
- What further steps or actions would have been helpful in preventing the incident?
Resources:
- FRSECURE Malware Outbreak
- CSR Singapore
- Canadian center for cyber security
- Cyber Incident response Scottish Government