Malware Playbook

The detection phase has the following objectives:

• Detect and report a breach or compromise of the confidentiality, integrity, or availability of organizational data;
• Complete initial investigation of the malware;
• Report the malware formally to the correct team as a cyber incident.

• Common signs of malware infection may include:
  • Significant decrease in device(s) performance
  • Inexplicable high CPU/Disk usage
  • Unknown program/service running in the background
  • Inexplicable device(s) behaviors
  • Unknown application installed on devices
  • Unexplained internet activities (suspicious search results, browsers having unknown extensions)
• Monitor detection channels, both automatic and manual, customer and staff channels for the identification of a malware attack, including:
  • Monitor and review any output of critical SIEM’s alert and dashboard
  • Anti-malware system notifications to the IT team;
  • User notification to the Service Desk;
  • Any other notification that raises suspicion of a malware incident.
• Collate initial incident data including as a minimum for the following;
  • A timeline of when the malware was first detected, and other significant events.
  • Whether the malware was detected by the anti-malware solution, or identified through other means.
  • The probable scope of the infection, in terms of the systems and/or applications, affected.
  • Whether the malware appears to be spreading across the infrastructure.
  • The probable nature of the malware infection, if known.
  • Whether the anti-malware solution has successfully quarantined/cleansed the infection.
  • Likely containment options (e.g. on the basis of publicly-available information, for known malware).
• Triage, report, and escalate the incident

If the percentage of being a true malware incident is high, you should Isolate infected systems ASAP.

• DO NOT power off machines, as forensic artifacts may be lost.
• Preserve the system(s) for further forensic investigation including log review, MFT analysis, deep malware scans, etc.

The analysis phase has the following key objectives:

• Analyze the cyber incident to uncover the scope of the attack;
• Identify and report potentially compromised data and the impact of such a compromise;
• Establish the requirement for a full forensic investigation;
• Develop a remediation plan based upon the scope and details of the cyber incident.

• Investigate malware to determine if it’s running under a user context.
  • If so, disable this account (or accounts if multiple are in use) until the investigation is complete.
• Execute the malware in a secure environment or sandbox, segregated from the business network, to determine its behavior on a test system, including created files, launched services, modified registry keys, and network communications.
• Likely containment options (e.g. on the basis of publicly-available information, for known malware).
• Scope the attack.
  • A timeline of when the malware was first detected, and other significant events.
  • Whether the malware was detected by the anti-malware solution, or identified through other means.
  • The probable scope of the infection, in terms of the systems and/or applications, affected.
  • Whether the malware appears to be spreading across the infrastructure.
  • The probable nature of the malware infection, if known.
  • Whether the anti-malware solution has successfully quarantined/cleansed the infection.
  • Determine the first appearance of the malware.
  • Determine the user first impacted by the malware.
  • Investigate all available log files to determine the initial date and point of infection.
  • Analyze all possible vectors for infection.
    • Focus on known delivery methods discovered during malware analysis (email, PDF, website, packaged software, etc.).
• Analyze the malware to determine characteristics that may be used to contain the outbreak.
  • If available, use a sandboxed malware analysis system to perform the analysis.
    • Note: Network connectivity should not be present for this sandbox system except in very rare circumstances. Network activity from malware may be used to alert an attacker of your investigation.
    • Observe any attempts at network connectivity, note these as Indicators of Compromise (IoCs)
    • Observe any files created or modified by the malware, note these as IoCs.
    • Note where the malware was located on the infected system, note this as an IoC.
    • Preserve a copy of the malware file(s) in a password-protected zip file.
  • Use the PowerShell “Get-FileHash” cmdlet to get the SHA-256 hash value of the malware file(s).
    • This hash may also be used to search for community information regarding this malware (i.e. VirusTotal, Hybrid-Analysis, CISCO Talos, etc.)
    • Additional hash values (SHA1, MD5, etc.) may be gathered to better suit your security tools.
    • Note these hash values as IoCs.
  • Use all IoCs discovered to search any available tools in the environment to locate additional infected hosts.

• Use all information and IoCs available to determine if the malware is associated with further attacks.
  • e. Emotet, Trickbot, and Qakbot are often involved in Ryuk ransomware attacks.
  • If further attacks are associated, gather all additional information available on these attacks to further the investigation.
  • Review affected infrastructure for indicators of compromise derived from the malware analysis to identify any additional compromised system(s).

Contain the effects of the malware on the targeted systems

• Suspend the login credentials of suspected compromised accounts.( If additional accounts have been discovered to be involved or compromised, disable those accounts)
• Implement any temporary network rules, procedures and segmentation required to contain the malware, Determine whether the malware appears to be attempting to communicate with outside parties (e.g. attempting to connect to botnet command and control servers on the public internet), and take steps to block any such communication.
• Add IoCs (such as hash value) to endpoint protection.
  • Initiate an estate-wide anti-malware scan.
  • Set to block and alert upon detection.
• Submit hash value to community sources to aid in future detection.
• Use the information about the initial point of entry gathered in the previous phase to close any possible gaps.
• Identify the infected assets(s) and physically disconnect them from the network Replacing disconnected devices with fresh builds(ensuring they first have relevant updates applied).( Once the IoCs discovered in the Identification phase have been used to find any additional hosts that may be infected, isolate these devices as well.)

• Complete an automated or manual removal process to eradicate malware or compromised executables using appropriate tools.
• Conduct a restoration of affected networked systems from a trusted back up.
• Continue to monitor for signatures and other indicators of compromise to prevent the malware attack from re-emerging.

Recover affected systems and services back to a Business As Usual (BUA) state.

• Recover systems based on business impact analysis and business criticality.
• Remediate any vulnerabilities and gaps identified during the investigation.
• Complete malware scanning of all systems, across the estate.
• Re-set the credentials of all involved system(s) and users account details.
• Restore any corrupted or destroyed data.
• Restore any suspended services.
• Restore impacted systems from a clean backup, taken prior to infection if these backups are available.
• For systems not restorable from backup, rebuild the machines from a known good image or from bare metal.
• Establish monitoring to detect further suspicious activity.
• Co-ordinate the implementation of any necessary patches or vulnerability remediation activities.

• Complete an incident report including all incident details and activities;
• Complete the lessons identified and problem management process;
• Publish appropriate internal and external communications.

The post-incident activities phase has the following objectives:

• Complete an incident report including all incident details and activities;
• Complete the lessons identified and problem management process;
• Publish appropriate internal and external communications.

Create and distribute an incident report to relevant parties, Draft a post-incident report that includes the following details as a minimum:

• Details of the cyber incident identified and remediated across the network to include timings, type and location of incident as well as the effect on users;
• Activities that were undertaken by relevant resolver groups, service providers and business stakeholders that enabled normal business operations to be resumed;

Recommendations where any aspects of people, process or technology could be improved across the organisation to help prevent a similar cyber incident from reoccurring, as part of a formalised lessons identified process.

Conduct a meeting after the incident to discuss the following:

• sharing lessons identified with the wider stakeholders where relevant
• Do modifications need to be made to any of the following:
  • Network segmentation
  • Firewall configuration
  • Application security
  • Operating System and/or Application patching procedures
  • Employee, IT, or CSIRT training
• What things went well during the investigation?
• What things did not go well during the investigation?
• What vulnerabilities or gaps in the organization’s security status were identified?
  • How will these be remediated?
• What further steps or actions would have been helpful in preventing the incident?