Prepration objectives:

The preparation phase has the following objectives:

 Prepare to respond to a cyber security incidents in a timely and effective manner;

 Prepare organizational assets for malware outbreak;
 Inform employees of their role in remediating a malware incident including reporting
mechanisms.
Activities may include, but are not limited to:

 Determine the members of the Cybersecurity Incident Response Team (CSIRT) and
extended CSIRT members.
 Review and rehearse cyber incident response procedures including technical and
business roles and responsibilities, and escalation to major incident management
where necessary.
 Ensure appropriate access to any necessary documentation and information, including
out-of-hours access, Network Architecture Diagrams, Data Flow Diagrams and etc.
 Define escalation paths.
o Incidents may start as events, or as a lower impact/severity and then increase
as more information is gathered. Establishing an escalation path is critical to
success
 Define Threat and Risk Indicators and Alerting patterns within the organization’s
security information and event management (SIEM) solution.
 Conduct regular awareness campaigns to highlight information security risks faced by
employees
 Evaluate and secure critical system backups.
o During the initial stages of any incident, evaluate and confirm that backups
are secure and not impacted by the incident.
Identification or Detection objectives
The detection phase has the following objectives:

 Detect and report a breach or compromise of the confidentiality, integrity, or

availability of organizational data;
 Complete initial investigation of the malware;
 Report the malware formally to the correct team as a cyber incident.
Activities may include, but are not limited to:

 Common signs of malware infection may include:

o Significant decrease in device(s) performance
o Inexplicable high CPU/Disk usage
o Unknown program/service running in the background
o Inexplicable device(s) behaviors
o Unknown application installed on devices
o Unexplained internet activities (suspicious search results, browsers having
unknown extensions)
 Monitor detection channels, both automatic and manual, customer and staff channels
for the identification of a malware attack, including:
o Monitor and review any output of critical SIEM’s alert and dashboard
o Anti-malware system notifications to the IT team;
o User notification to the Service Desk;
 Any other notification that raises suspicion of a malware incident.
o
 Collate initial incident data including as a minimum for the following;
o A timeline of when the malware was first detected, and other significant
events.
o Whether the malware was detected by the anti-malware solution, or
identified through other means.
o The probable scope of the infection, in terms of the systems and/or
applications, affected.
o Whether the malware appears to be spreading across the infrastructure.
o The probable nature of the malware infection, if known.
o Whether the anti-malware solution has successfully quarantined/cleansed the
infection.
o Likely containment options (e.g. on the basis of publicly-available
information, for known malware).
 Triage, report, and escalate the incident
If the percentage of being a true malware incident is high, you should Isolate infected
systems ASAP.

 DO NOT power off machines, as forensic artifacts may be lost.

 Preserve the system(s) for further forensic investigation including log review, MFT
analysis, deep malware scans, etc.
Analyze objectives
The analysis phase has the following key objectives:

 Analyze the cyber incident to uncover the scope of the attack;

 Identify and report potentially compromised data and the impact of such a
compromise;
 Establish the requirement for a full forensic investigation;
 Develop a remediation plan based upon the scope and details of the cyber incident.
Activities may include, but are not limited to:

 Investigate malware to determine if it’s running under a user context.

o If so, disable this account (or accounts if multiple are in use) until the
investigation is complete.
 Execute the malware in a secure environment or sandbox, segregated from the
business network, to determine its behavior on a test system, including created files,
launched services, modified registry keys, and network communications.
 Likely containment options (e.g. on the basis of publicly-available information, for
known malware).
 Scope the attack.
o A timeline of when the malware was first detected, and other significant
events.
o Whether the malware was detected by the anti-malware solution, or
identified through other means.
o The probable scope of the infection, in terms of the systems and/or
applications, affected.
o Whether the malware appears to be spreading across the infrastructure.
o The probable nature of the malware infection, if known.
o Whether the anti-malware solution has successfully quarantined/cleansed the
infection.
 oDetermine the first appearance of the malware.
oDetermine the user first impacted by the malware.
oInvestigate all available log files to determine the initial date and point of
infection.
o Analyze all possible vectors for infection.
 Focus on known delivery methods discovered during malware
analysis (email, PDF, website, packaged software, etc.).
 Analyze the malware to determine characteristics that may be used to contain the
outbreak.
o If available, use a sandboxed malware analysis system to perform the
analysis.
 Note: Network connectivity should not be present for this sandbox
system except in very rare circumstances. Network activity from
malware may be used to alert an attacker of your investigation.
 Observe any attempts at network connectivity, note these as
Indicators of Compromise (IoCs)
 Observe any files created or modified by the malware, note these
as IoCs.
 Note where the malware was located on the infected system, note
this as an IoC.
 Preserve a copy of the malware file(s) in a password-protected zip
file.
o Use the PowerShell “Get-FileHash” cmdlet to get the SHA-256 hash value
of the malware file(s).
 This hash may also be used to search for community information
regarding this malware (i.e. VirusTotal, Hybrid-Analysis, CISCO
Talos, etc.)
 Additional hash values (SHA1, MD5, etc.) may be gathered to
better suit your security tools.
 Note these hash values as IoCs.
o Use all IoCs discovered to search any available tools in the environment to
locate additional infected hosts.

 Use all information and IoCs available to determine if the malware is associated with
further attacks.
o e. Emotet, Trickbot, and Qakbot are often involved in Ryuk ransomware
attacks.
o If further attacks are associated, gather all additional information available
on these attacks to further the investigation.
o Review affected infrastructure for indicators of compromise derived from
the malware analysis to identify any additional compromised system(s).

Containment objectives
Contain the effects of the malware on the targeted systems
Activities may include, but are not limited to:

 Suspend the login credentials of suspected compromised accounts.( If additional

accounts have been discovered to be involved or compromised, disable those
accounts)
  Implement any temporary network rules, procedures and segmentation required to
contain the malware, Determine whether the malware appears to be attempting to
communicate with outside parties (e.g. attempting to connect to botnet command and
control servers on the public internet), and take steps to block any such
communication.
 Add IoCs (such as hash value) to endpoint protection.
o Initiate an estate-wide anti-malware scan.
o Set to block and alert upon detection.
 Submit hash value to community sources to aid in future detection.
 Use the information about the initial point of entry gathered in the previous phase to
close any possible gaps.
 Identify the infected assets(s) and physically disconnect them from the network
Replacing disconnected devices with fresh builds(ensuring they first have relevant
updates applied).( Once the IoCs discovered in the Identification phase have been used
to find any additional hosts that may be infected, isolate these devices as well.)

Eradicate objectives
Eradicate the malware from the network through agreed mitigation measures;

Activities may include, but are not limited to:

 Complete an automated or manual removal process to eradicate malware or compromised

executables using appropriate tools.
 Conduct a restoration of affected networked systems from a trusted back up.
 Continue to monitor for signatures and other indicators of compromise to prevent the malware
attack from re-emerging.

Recovery objectives:
Recover affected systems and services back to a Business As Usual (BUA) state.
Activities may include, but are not limited to:

 Recover systems based on business impact analysis and business criticality.

 Remediate any vulnerabilities and gaps identified during the investigation.
 Complete malware scanning of all systems, across the estate.
 Re-set the credentials of all involved system(s) and users account details.
 Restore any corrupted or destroyed data.
 Restore any suspended services.
 Restore impacted systems from a clean backup, taken prior to infection if these backups are
available.
 For systems not restorable from backup, rebuild the machines from a known good image or
from bare metal.
 Establish monitoring to detect further suspicious activity.
 Co-ordinate the implementation of any necessary patches or vulnerability remediation
activities.
post-incident objectives:

 Complete an incident report including all incident details and activities;

 Complete the lessons identified and problem management process;
 Publish appropriate internal and external communications.
Activities may include, but are not limited to:
The post-incident activities phase has the following objectives:
  Complete an incident report including all incident details and activities;
 Complete the lessons identified and problem management process;
 Publish appropriate internal and external communications.
Create and distribute an incident report to relevant parties, Draft a post-incident report that
includes the following details as a minimum:

 Details of the cyber incident identified and remediated across the network to include timings,
type and location of incident as well as the effect on users;
 Activities that were undertaken by relevant resolver groups, service providers and business
stakeholders that enabled normal business operations to be resumed;
Recommendations where any aspects of people, process or technology could be improved
across the organisation to help prevent a similar cyber incident from reoccurring, as part of a
formalised lessons identified process.

Conduct a meeting after the incident to discuss the following:

 sharing lessons identified with the wider stakeholders where relevant

 Do modifications need to be made to any of the following:
o Network segmentation
o Firewall configuration
o Application security
o Operating System and/or Application patching procedures
o Employee, IT, or CSIRT training
 What things went well during the investigation?
 What things did not go well during the investigation?
 What vulnerabilities or gaps in the organization’s security status were identified?
o How will these be remediated?
 What further steps or actions would have been helpful in preventing the incident?