By following a well-established response plan, organizations can help ensure the confidentiality and integrity of their systems and data.
In today’s digital environments, the threat of an actual, legitimate malware infection on an endpoint is very real and poses a significant risk to your organization if not handled properly. A fast and ordered response to these types of incidents is crucial for minimizing the impact and damage of an infection and for the protection of sensitive information. The reality is not if an infection occurs, but when. By following a well-established response plan, organizations can help ensure the confidentiality and integrity of their systems and data.
Listed below are some general guidelines and observed industry practices* to help bolster or enhance your existing response plan after the detection of an incident. These guidelines assume a malware incident has already been detected. These are just guidelines, and actual response can and likely will vary depending on current resources, existing policies, and the severity of the infection. DefenseStorm always recommends following your existing incident response plan and processes/procedures for handling compromise and infection.
While we do not promote one solution over any other, we recommend using a sandbox solution to disconnect the host from the network. If none are available, disconnect the host from all network connections. This prevents the malware from spreading or calling home. If you have the ability to quarantine a device via an EDR tool or another method, this offers a workable solution in most cases as well. If all of the above is not possible, shut the device down. While forensic evidence may be lost, the protection of your employees, assets, and network is most important.
If an email is the source, try to remove it from all inboxes. If a file or file share is the source, delete the file or, at minimum, restrict access to the location the infection resides. This will help prevent further spread inside of your environment.
Depending on the type of compromise or infection, at minimum, reset passwords for impacted users. Depending on the depth and access of potential bad actors, accounts of compromised individuals should likely be disabled.
Stopping backups will help ensure that in the event of a data restore, you are not re-infecting hosts, causing additional clean up.
This will help with post-incident investigation and remediation and give responders an accurate representation of the endpoint to work from. In addition, if subsequent data on disk recovery is needed, this will help serve as a source for acquisition and from a more controlled, non-interactive source.
Re-imaging is a sure way to remove rootkits and registry entries from machines, along with hidden persistence that can come along with malware infections. It is considered by most the best method to help ensure the infection is eradicated from a host. That being said, policies around data restoration to a newly re-imaged machine should be in place and followed along with scanning any newly restored device to make sure backups are not compromised. Remember, using more than one scanning tool or method is seen as a best practice.
Documenting the incident is important. Internal reporting does not necessarily have to be overly technical, but it should answer the basic questions of Who, What, When, Where, Why, and How and add some detail around each one. It serves as a record of what happened, provides a reference if a third party becomes involved, and provides historical context should another similar or like, incident occur. Reviewing the report and evaluating the details allows putting controls in place, policy changes, software configuration changes, patching, training, or other remediation efforts to try to best ensure the risk of the event happening again is reduced.
After all the above steps have been completed, continue to monitor the host for a minimum of 7 days to look for indicators of re-infection or risky user behavior and address them as needed with the employee or parties involved.
Properly handling malware infections on endpoints is crucial for protecting sensitive information and minimizing damage. Organizations should have a well-defined response plan in place to ensure the confidentiality and integrity of their systems and data.
*These are only suggestions based on industry-observed practices. This list is not exhaustive and is not intended to be a substitute or replacement for any existing policy, procedure, or incident response plan you have in place. DefenseStorm recommends following your existing incident response plan and processes/procedures in place for handling compromise and infection.