Over 300 million pieces of malware are produced each and every year, a number that’s steadily on the rise with no end in sight. Organizations must prepare ahead of time by fortifying their cyber security incident response strategies to not only detect malware, but to stop it in its track as quickly and effectively possible.
Once the incident is identified, quarantine the affected device and perform the mitigation actions aligned with the organizations’ best practices. In response to an alert about suspected malware, the following workflow kicks off.
- Get md5 and name of the suspect file and send it to a known malware database (Like VirusTotal).
a. If the md5 and file name matches known malware, jump to step 3.
2. Get the file and send it to sandbox for analysis.
a. If the result of the sandbox confirms the infected file’s ability to communicate laterally or externally, jump to step 2c.
b. Jump to step 3.
c. Move the computer to an isolated vLAN.
d. Update the end user that his computer was infected and is under investigation.
e. Search reputation DB for the destination IP. *If the destination IP is a known malware or threat source, update the ACL to block any future connections to this destination.
3. Scan all the computers on the networks (plus the isolated one) for the files and process from step 2.
4. Search SIEM (or end systems if no SIEM Available) for other potential servers that might have made contact to or communicated with the threat source identified in 2e.
5. If additional computers are found with the files, perform steps 2c – 2d for each infected computer.
6. Update antivirus software block file list with the filename and md5 to block any future attacks.
7. Update monitor list to include connection to the destination IP identified in step 2e in case of a dormant malware waking up to affect additional systems in the future.
8. Kill the malware process matched in step 3 as part of the remediation actions.)
9. Delete the files matched in step 3 as part of the remediation actions.
10. Make sure that no new connections to the destination IP were established from the isolated computers in the identified vLAN.
a. If no new connection started after step 8, add the computer back to the organization’s network and update the users that they can now return to their normal work.
b. If new connection started:
1. If from computer in the isolated vLAN, check which process started the connection and kill it and return to step 10.
2. If from computer not in the isolated vLAN, move the computer to isolated vLAN and jump back to step 8.
11. Search in the SIEM (or end systems if no SIEM Available) for first match of the file name and log it as source for reporting and documenting purposes.
12. Create a list of users whose systems were affected by the malware in step 3.
13. Create the report that contains:
- Malware file name.
- Malware md5.
- Malware starting process.
- Actions taken (step 2c-2e, i, 6-9).
- List of infected computers (Step 3,5).
- End communication (step 2e if exists).
- List of all users infected by the malware (step 12).
- Report: As identified in step 13.
- Verification: As shown above in steps 1-4.
- Human in the loop gathering information: Step 1-5, 11-12.
- Actions: 2c-2e, 6-9.
The eyeShare product can be quickly and easily integrated with any of the following security tools for implementation of a malware management playbook:
Make the immediate response, remediation, and mitigation of malware incidents a breeze with automated cyber security incident response. Click here to download your free trial and start leveraging this powerful and highly effective playbook for your own business today.
A Strong Defense
History has proven that when it comes to cyber security, the best offense is always a strong defense. Automation can provide the missing link to create a more solid, proactive incident response strategy that will minimize the impact potential threats can have on your organization’s assets.
The right playbook will orchestrate and automate the management of suspected malware-related security incidents. Affected devices are immediately and automatically identified and quarantined, which helps to prevent the lateral and upward expansion of the targeted infection.
In other words, an automated cyber security incident response playbook stops the spread of the virus before it can do any more damage – and all without the need for any human intervention. It can also aid in the development of best practices and implementation of a more proactive approach to cyber security that will block future attacks from occurring in the first place.
The unique value proposition of an automated cyber security incident response playbook is multi-faceted and includes, but is not limited to, the following benefits:
- Faster Response Time and Greater Scalability: With eyeShare™ orchestration and automation, the time to response is much faster, achieving successful quarantine and remediation in just minutes – a task that normally would otherwise take hours.
- Productivity and Reduced Risk: With automated remediation, the playbook also delivers intangible benefits like reduced risk to critical data on a privileged user device. Since turnaround time is a fraction of manual remediation processes, time to productivity is also much faster.
- Enhanced Control: Analysts remain in the loop with full visibility and control over the automated incident response process.
- Error Reduction: Automation can drastically reduce human errors, and in some cases, eliminate them altogether.
- Better Resource Allocation: With automation of malware incidents, the security analyst team can now focus on other complex threats.
- Full Documentation for Governance and Reporting: eyeShare™ automation can document and log each step taken by a playbook to remediate an incident, for reporting and management dashboards.