Cyberattacks, incidents, and confirmed breaches threaten organizations with financial losses, damage to reputation, and legal or regulatory consequences. An effective incident response plan helps organizations bolster their security programs and address threats more effectively.
This guide outlines best practices to protect data and assets throughout the four phases of an incident response: preparation, detection and analysis, containment, eradication, and recovery.
Preparation
As a first step in any incident response plan, you must prepare your environment for an attack. It means identifying your assets, reviewing threat intelligence and policies, and training your team to detect and respond to malware threats.
The US government agency NIST has developed a comprehensive incident response framework to help you develop an effective plan. It includes detailed guidance on identifying an incident response team, creating a communication plan, and testing your readiness with threat-based scenarios. It also provides an incident response checklist and two templates with system commands to assist you in carrying out specific incident response tasks.
To minimize the impact of an incident, you should be prepared to take action quickly. It includes identifying and preventing an infected device from spreading, containing the infection, eradicating the threat, and recovering your systems and data. The ultimate guide to incident response malware attacks has detailed steps and best practices to mitigate the impacts of a ransomware attack, including preparing for an attack and reducing risk by setting up security baselines, strengthening passwords, using multi-factor authentication, and updating and patching systems.
In the identification phase, you should note any unusual files created or modified by the malware and preserve them in a password-protected zip file. Obtain the SHA-256 hash value of the malware file(s) to use in search tools to find additional infected hosts.
Detection
When an infection is detected, the first step in incident response for malware attacks is to identify the type of threat and how it got in. To do this, a cybersecurity team must review logs and examine forensically sound images of equipment and memory.
Many cyber security tools rely on behavioral analytics or signature-based detection to spot threats inside systems and networks. In either case, detecting is essential to protect against malicious actors and ensure system and network security.
Detection should also include disabling network access to the infected device. One can enable quarantine features of an endpoint detection and response (EDR) solution, use a corporate domain, VPN, or SASE configuration, or do it manually. It’s also a good idea to incorporate asset tags on all devices and list the corporate “disaster recovery” phone number for employees so they can call in case they are locked out of their devices or unsure what to do next.
After the identification phase, the next step is to triage affected devices, systems, and data based on sensitivity. Power down equipment to prevent lateral movement, preserve physical hard disks or solid-state drives and any relevant backups for future forensic investigation.
The goal is to stop infections from becoming full-blown security incidents, which can lead to operational disruptions, financial losses, legal implications, and damage to the organization’s reputation.
Containment
As the first step in containment, security teams identify the compromised systems and begin isolating them from other devices on the network. It may be as simple as unplugging a physical system from an ethernet cable or turning off a wireless adapter on a virtual machine. It may be more complicated, such as removing credentials from rogue accounts or invalidating session cookies siphoned by infostealer malware.
This step is crucial in preventing malware from spreading to other systems on the network. It also prevents lateral movement by limiting access to compromised machines. It’s important to note that isolating the compromised system is only sometimes possible if critical. It may mean shutting down the affected host, affecting users and business operations.
During the containment phase, teams should also identify and eliminate attackers and malware from systems. It includes removing backdoors and resetting passwords, addressing privileged accounts in a triaged manner, blocking malicious command and control IP addresses, domains, or files, and cleaning up threat actor-related files, registry entries, and other lingering artifacts that can maintain malware persistence (e.g., cached credentials and stale data). Teams can use this information to identify the attack’s root cause and create updated replacement systems ready for recovery.
During this stage, teams should follow notification requirements and communicate with external stakeholders as outlined in cyber incident response and communications plans. It may include notifying managed security service providers, CIOs and IT directors, cyber insurance companies, and local FBI field offices (e.g., IC3 or your local Secret Service field office).
Eradication
Once detection and analysis have been completed, the next step in incident response is to contain the threat. Containment involves separating the affected systems and preventing the threat from spreading. This step requires the team to remove threats and malware and identify and mitigate exploited vulnerabilities. Eradication is a critical step in incident response, as it eliminates components of the attack and prevents similar attacks from occurring in the future.
For example, eradicating ransomware requires removing all encrypted files, disconnecting Wi-Fi access, and isolating systems critical to the business. It can be a time-consuming process. The good news is that restoring impacted systems and data to their pre-infection state is possible once the ransomware has been eliminated.
However, eradicating the malware doesn’t address the stolen credentials and cookies criminals use to bypass MFA, access critical workforce applications, and steal other information that aids follow-on attacks. That is why malware incident response needs to shift to an identity-centric approach.
Ultimately, the eradication and recovery steps in an effective incident response plan depend on the severity of the breach and what the organization can tolerate in terms of lost productivity. The best practice is to engage with a cybersecurity partner to help manage security incidents and protect your organization from cyber threats.
Recovery
The eradication phase of incident response involves removing all threats and related activity from devices and the network. It includes resetting passwords and clearing any cached data that malware may have stolen.
It is also essential to identify any other impacted systems and accounts and take steps to prevent them from accessing enterprise resources. It can include limiting remote access to corporate networks through VPN, SASE, and CAS configurations or disabling email account functionality.
During this phase, you should also review the results of your identification and containment efforts to establish what happened, when, and how. This process should help you identify any security controls that functioned sub-optimally and ensure that they are updated in the future.
The last step of incident response is recovery, which returns systems to their pre-infection state. It includes restoring impacted data and systems from clean backups if they are available. It is essential to prioritize restoring systems critical to your business operations and ensure that any affected data is restored.
In this phase, you should also use the IoCs and threat intel to find any additional devices that may have been infected and isolate them. Isolating these devices will help to prevent lateral movement. It is also a good idea to set up temporary network rules and procedures and use segmentation to prevent the spread of infection to additional systems in your organization. If an attacker was identified during the identification phase, you should use threat intel to find any other accounts that were compromised and disable them.
The incident response process described above provides a framework for responding to malware incidents and mitigating the risk of stolen data being sold on the underground market. If you need more specific guidance, several resources can help you create and implement a malware incident response plan for your organization. For example, the National Cyber Security Centre has a planning guide with an incident response checklist and two templates with system commands for specific incident response tasks on Windows and UNIX systems.