Malware Incident Response Plan
I did this Malware Response plan back in 2008. Very few organizations have any response planning in place. Probably (in part) why 50% of all Fortune 500 companies had computers in the huge botnet the fed recently discovered. Comments? Daniel
Content
Malware Incident Response Plan
For
Malicious Software IAE 677 – Fall 2008
By
Daniel Simons
Nov. 18, 2008
1. Preparation: A. Develop an acceptable use policy – An acceptable usage policy explains what company computer assets should and should not be used for. This policy should be distributed to all company employees. Identifying and discouraging activities that are not work related will decrease the likelihood of malware infection. For instance, many of the web sites that host malicious scripts do not typically fall into the category of sites identified as being work related. Other activities which should be banned or closely monitored include peer-to-peer file sharing and instant messaging. Both are breeding grounds for malware and provide methods for users to circumvent security controls. In addition, the majority of files hosted on peer-to-peer file sharing networks are often protected by copyright laws, and may involve legal liability. Using work email systems for personal purposes should also be kept to a minimum, reducing the possibility of users opening unexpected email content, or forwarded messages from friends that may contain harmful attachments. An acceptable usage policy should be drafted to communicate the proper use of business systems. The policy should be carefully reviewed by management and legal counsel to determine the effectiveness and legal implications of the document. The policy will be distributed to all corporate employees. B. Educate end users – It is equally important to provide adequate malware awareness training to end users. Educating users about the dangers of opening unexpected or suspicious email attachments, installing adware supported shareware software, running malicious scripts from insecure web sites, using p2p file sharing, etc., is an essential step to prevent the likelihood of a malware incident from occurring. Computer security
personnel will provide training to end users through a series of group training sessions, through regular email bulletins reminding users about common security threats, and through an as needed basis via the helpdesk incident reporting system. C. Outbreak procedures –An appropriate type of response should be designed for the varying degrees of infection frequency, the role of the infected host in relation to business continuity, and the risk of replication. To meet these goals the detailed chart below will help computer personnel identify the correct response type.
Infection Frequency: Critical Nature of Host: Risk of replication: Response Type:
<1-2% <1-2% <1-2% <1-2% 2%+ 2%+ 2%+ 2%+
Low Low High High Low Low High High
Low High Low High Low High Low High
1 2 2 3 2 2 3 3
The following classified response types provide procedural details to respond to malware outbreaks and will be used by the appropriate computer personnel to address infections: Response Type 1: Helpdesk personnel will contact a representative in the network team to disable network access to the infected host to prevent the opportunity of the malware
infection to further spread throughout the network. (See section 3 – Containment) If a representative of the network team is unavailable the helpdesk personnel will physically disconnect the host from the network. The helpdesk personnel will ensure that the host has current virus definitions, disable system restore, reboot the system in safe mode, and launch a complete scan of the system. In the event that the malware has disabled antivirus protection on the host, the helpdesk representative will use removable media containing antivirus software to run a complete scan of the system. If the threat can’t be removed with either of these methods the system will be backed up and the system will be restored to the corporate image or last complete backup of the system. (See Section 4 – Eradication) The files that are backed up should be scanned on an isolated system and restored once they are determined to be free from infection. (See Section 5 – Recovery) Response Type 2: This response type is typically triggered when multiple users advise the helpdesk of malware infection, or network/host security systems trigger an alert, or when critical services begin functioning improperly. The network team should be contacted immediately to determine how far the malware threat has spread, and how critical the infected hosts are. If the infected hosts are not critical to business mission continuity they should be disconnected from the network via administrative action. Once the risk of propagation has been halted, the response type should be reduced to response type 1. If the infected hosts are critical to business mission continuity, the network team should consult the disaster recovery / business continuity plan and determine how to proceed. The network team should also contact the security team to review the propagation methods and payload factors of the malware. Proper precaution
should be taken to ensure that the threat does not spread to other systems. (See section 3 – Containment) This may include segregating network systems as needed or applying host hardening procedures. Once the risk of propagation has been contained the network team should follow planned failover procedures for migrating services to a hot/warm/cold site or restoring critical systems from backup media as necessary. (See Section 5 – Recovery) Response Type 3 – This response type is only triggered when critical business systems have become infected. The network and security teams should work together closely to identify how the malware spreads and what damaging payload it carries. The primary goal should be to protect critical business information and restore service as soon as possible. Containment of infected systems may require a temporary shutdown of critical services. Vulnerable hosts that have not been infected should be protected by following security advisories to mitigate the risk of infection. (See section 3 – Containment) Once the malware threat has been contained the network team should begin the process of recovery by following planned failover procedures for migrating services to a hot/warm/cold site or restoring critical systems from backup media as necessary. (See Section 5 – Recovery) Once service has been restored any hosts that remain infected should be cleaned by following eradication procedures. (See Section 4 – Eradication) Detection and analysis: A. Install client security software - A corner stone of detecting malware and virus threats is installing host based antivirus protection on all client computer systems. Host based protection relies upon a subscription service from a corporate security firm and detects
malware based on a variety of methods. Traditional antivirus scanners rely on signature based protection. Many modern day security suites provide a variety of detection methods such as network threat protection (IDS), identification of suspicious virus activity (heuristics), and a basic to advanced host firewall. All corporate computer systems should have client security software installed, configured with the latest updates, and have a strategy for retrieving updates in a timely manner. B. Malware and vulnerability awareness –Even with adequate security controls malware may still go undetected due to the colossal number of security threats discovered on a daily basis. The time gap between vulnerability identification and threats that exploit vulnerabilities is narrowing at an alarming basis. Zero day threats are threats that are exploited near the same time that security vulnerabilities are discovered. It is increasingly likely that such threats will outpace security software. To counteract this threat designated computer security personnel should subscribe to and read the latest malware threat and vulnerability advisories. In addition, computer security administrators will deploy and configure one or more hosts, in isolated network segments, with minimal protection for the purpose of providing an easy target for security threats. Such a host is commonly called a honey-pot and is useful in discovering current malware trends and weaknesses in network controls. C. Install network threat detection - In addition to antivirus and anti-spyware software there are a number of other methods to help with early detection of malware threats. Today it is common to find firewalls and other perimeter network security devices that provide a variety of security services, and are often marketed as unified threat
management devices. So called UTM devices have built-in malware detection systems that like traditional antivirus products use subscription services to provide the latest protection against new malware threats. By detecting malware threats at the perimeter, threats can be detected and quarantined before they ever enter the protected network. Security administrators will deploy network threat detection systems to help provide both an early warning system and a first layer of defense against malware threats. D. Configure central reporting - A central reporting system is essential to help provide early warning of a malware threat. Most corporate antivirus solutions provide central reporting that is capable of generating custom reports based on infection outbreaks, antivirus software that is not up-to-date, client systems that are not protected, etc. In addition many central reporting systems can be configured with triggers to warn security administrators when an infection has been detected on a client computer system. Security administrators will ensure that central reporting is configured with triggers to warn if an infection outbreak is occurring and will test the system with a dummy virus file from a security vendor to ensure that reporting is functioning correctly. 2. Containment: Once a malware threat has been carefully analyzed it needs to be effectively contained so that the infection will not continue to spread. The network team and security teams should work together closely to develop a strategy to halt malware propagation. Once the strategy has been outlined the procedures to contain the malware threat should be followed quickly and efficiently. Procedures to contain the threat may include:
A. Disable physical network access: Network access to infected systems should be disabled via administrative action or automatic shutdown of physical network ports. If network administrators are not immediately available, network hosts should be physically disconnected from the network by unplugging network communication cabling from the infected host system. B. Host, service, and application hardening: Vulnerable systems should be protected by applying service, application, and operating system patches as necessary. Additionally it may be help contain the malware threat by applying the latest threat definitions to host and network security software, to ensure that the threat is recognized and eliminated when it attempts to spread to additional systems. (See Section 3 – Eradication) C. Power off infected systems: It may be necessary to shutdown infected workstations and servers. Physically shutting down infected systems will eliminate the possibility for these systems to help spread the malware threat. D. Disable network services: Additionally, it may be necessary to shutdown network services being used by malware propagation engines. To shutdown network services it will likely be necessary to modify host, server, or network firewalls, and network routing devices. 3. Eradication: After analysis and containment of a malware outbreak the threat needs to be removed from all infected hosts. A variety or removal techniques may be employed to ensure that the malware has been eradicated. Procedures to remove the malware may include:
A. Scan with installed anti-malware software – Responders should first disable system restore software, boot into safe mode, and check the threat definition version of installed anti-malware software. If necessary, the latest threat definitions should be downloaded and copied to a removable disk. The removable disk should then be used to update the anti-malware software installed on the infected host. A full scan should be run to attempt to remove the threat. If the attempt is not successful the responder should proceed to the next removal procedure. B. Scan using software on removable media – If the threat can’t be removed using installed anti-malware software, a removable media containing anti-malware software should be used to try to remove the threat. Some removable disks provide boot functionality in the scenario where a host will not boot. Regardless, the boot environment should provide a level of functionality similar to safe mode where only critical operating system services are loaded. This reduces the possibility that the malware will be able to startup at system boot and run in protected memory areas. It may be necessary to try several removal tools to completely eradicate the infection. In the event that removal tools prove unsuccessful, responders should proceed to the next removal procedure. C. Restore from backup media – If the threat is not easily removed using conventional removal methods it may become necessary to restore the system from backup. The system storage containing the threat should be completely erased or overwritten using either a disk wipe utility or a full format. It may also be necessary to wipe the master
boot record for certain kinds of malware threats. With a clean disk the system can be reloaded from backup media. (See section 5 – Recovery) D. Reload operating system – In the event that a backup media set containing a bootable operating system does not exist or does not function correctly, the local disk of the infected host should be erased either with a full format or a disk wipe utility. The operating system can then be reloaded using the installation media. (See section 5 – Recovery) 4. Recovery: After the malware threat has been effectively eradicated from infected hosts the process of restoring the confidentiality, integrity, and availability of system software and data begins. This process may include all of the following procedures: A. Reinstall from installation media – In the event that a malware threat could not be removed it with software tools, and the local disk had to be erased to remove the threat, it may become necessary to reinstall the operating system from installation media. This may come involve loading the operating system from the original installation media or restoring from a base system image. This procedure may also include reinstalling application software if it is not included in your operating system installation media or system image. B. Restore from backup media – Once the system is in a healthy state you should begin restoring program data from backup media. If relevant you it may be necessary to run verification on the data to ensure that it was restored properly.
C. Validate system state – The host should have security software reinstalled and the application software should be tested to ensure that it functions properly. It may be necessary to restore network connectivity prior to testing application software. D. Restore network connectivity – Network communication should be restored to the host by enabling physical network ports and resetting automatic network threat protection measures as necessary. 5. Report: Following successful restoration of host, network, and applications services, security administrators and management should evaluate the effectiveness of security policies and controls, and determine if any changes need to be made. It may be necessary to update the malware response plan, the acceptable use policy, corporate security plans and response measures, etc.
For
Malicious Software IAE 677 – Fall 2008
By
Daniel Simons
Nov. 18, 2008
1. Preparation: A. Develop an acceptable use policy – An acceptable usage policy explains what company computer assets should and should not be used for. This policy should be distributed to all company employees. Identifying and discouraging activities that are not work related will decrease the likelihood of malware infection. For instance, many of the web sites that host malicious scripts do not typically fall into the category of sites identified as being work related. Other activities which should be banned or closely monitored include peer-to-peer file sharing and instant messaging. Both are breeding grounds for malware and provide methods for users to circumvent security controls. In addition, the majority of files hosted on peer-to-peer file sharing networks are often protected by copyright laws, and may involve legal liability. Using work email systems for personal purposes should also be kept to a minimum, reducing the possibility of users opening unexpected email content, or forwarded messages from friends that may contain harmful attachments. An acceptable usage policy should be drafted to communicate the proper use of business systems. The policy should be carefully reviewed by management and legal counsel to determine the effectiveness and legal implications of the document. The policy will be distributed to all corporate employees. B. Educate end users – It is equally important to provide adequate malware awareness training to end users. Educating users about the dangers of opening unexpected or suspicious email attachments, installing adware supported shareware software, running malicious scripts from insecure web sites, using p2p file sharing, etc., is an essential step to prevent the likelihood of a malware incident from occurring. Computer security
personnel will provide training to end users through a series of group training sessions, through regular email bulletins reminding users about common security threats, and through an as needed basis via the helpdesk incident reporting system. C. Outbreak procedures –An appropriate type of response should be designed for the varying degrees of infection frequency, the role of the infected host in relation to business continuity, and the risk of replication. To meet these goals the detailed chart below will help computer personnel identify the correct response type.
Infection Frequency: Critical Nature of Host: Risk of replication: Response Type:
<1-2% <1-2% <1-2% <1-2% 2%+ 2%+ 2%+ 2%+
Low Low High High Low Low High High
Low High Low High Low High Low High
1 2 2 3 2 2 3 3
The following classified response types provide procedural details to respond to malware outbreaks and will be used by the appropriate computer personnel to address infections: Response Type 1: Helpdesk personnel will contact a representative in the network team to disable network access to the infected host to prevent the opportunity of the malware
infection to further spread throughout the network. (See section 3 – Containment) If a representative of the network team is unavailable the helpdesk personnel will physically disconnect the host from the network. The helpdesk personnel will ensure that the host has current virus definitions, disable system restore, reboot the system in safe mode, and launch a complete scan of the system. In the event that the malware has disabled antivirus protection on the host, the helpdesk representative will use removable media containing antivirus software to run a complete scan of the system. If the threat can’t be removed with either of these methods the system will be backed up and the system will be restored to the corporate image or last complete backup of the system. (See Section 4 – Eradication) The files that are backed up should be scanned on an isolated system and restored once they are determined to be free from infection. (See Section 5 – Recovery) Response Type 2: This response type is typically triggered when multiple users advise the helpdesk of malware infection, or network/host security systems trigger an alert, or when critical services begin functioning improperly. The network team should be contacted immediately to determine how far the malware threat has spread, and how critical the infected hosts are. If the infected hosts are not critical to business mission continuity they should be disconnected from the network via administrative action. Once the risk of propagation has been halted, the response type should be reduced to response type 1. If the infected hosts are critical to business mission continuity, the network team should consult the disaster recovery / business continuity plan and determine how to proceed. The network team should also contact the security team to review the propagation methods and payload factors of the malware. Proper precaution
should be taken to ensure that the threat does not spread to other systems. (See section 3 – Containment) This may include segregating network systems as needed or applying host hardening procedures. Once the risk of propagation has been contained the network team should follow planned failover procedures for migrating services to a hot/warm/cold site or restoring critical systems from backup media as necessary. (See Section 5 – Recovery) Response Type 3 – This response type is only triggered when critical business systems have become infected. The network and security teams should work together closely to identify how the malware spreads and what damaging payload it carries. The primary goal should be to protect critical business information and restore service as soon as possible. Containment of infected systems may require a temporary shutdown of critical services. Vulnerable hosts that have not been infected should be protected by following security advisories to mitigate the risk of infection. (See section 3 – Containment) Once the malware threat has been contained the network team should begin the process of recovery by following planned failover procedures for migrating services to a hot/warm/cold site or restoring critical systems from backup media as necessary. (See Section 5 – Recovery) Once service has been restored any hosts that remain infected should be cleaned by following eradication procedures. (See Section 4 – Eradication) Detection and analysis: A. Install client security software - A corner stone of detecting malware and virus threats is installing host based antivirus protection on all client computer systems. Host based protection relies upon a subscription service from a corporate security firm and detects
malware based on a variety of methods. Traditional antivirus scanners rely on signature based protection. Many modern day security suites provide a variety of detection methods such as network threat protection (IDS), identification of suspicious virus activity (heuristics), and a basic to advanced host firewall. All corporate computer systems should have client security software installed, configured with the latest updates, and have a strategy for retrieving updates in a timely manner. B. Malware and vulnerability awareness –Even with adequate security controls malware may still go undetected due to the colossal number of security threats discovered on a daily basis. The time gap between vulnerability identification and threats that exploit vulnerabilities is narrowing at an alarming basis. Zero day threats are threats that are exploited near the same time that security vulnerabilities are discovered. It is increasingly likely that such threats will outpace security software. To counteract this threat designated computer security personnel should subscribe to and read the latest malware threat and vulnerability advisories. In addition, computer security administrators will deploy and configure one or more hosts, in isolated network segments, with minimal protection for the purpose of providing an easy target for security threats. Such a host is commonly called a honey-pot and is useful in discovering current malware trends and weaknesses in network controls. C. Install network threat detection - In addition to antivirus and anti-spyware software there are a number of other methods to help with early detection of malware threats. Today it is common to find firewalls and other perimeter network security devices that provide a variety of security services, and are often marketed as unified threat
management devices. So called UTM devices have built-in malware detection systems that like traditional antivirus products use subscription services to provide the latest protection against new malware threats. By detecting malware threats at the perimeter, threats can be detected and quarantined before they ever enter the protected network. Security administrators will deploy network threat detection systems to help provide both an early warning system and a first layer of defense against malware threats. D. Configure central reporting - A central reporting system is essential to help provide early warning of a malware threat. Most corporate antivirus solutions provide central reporting that is capable of generating custom reports based on infection outbreaks, antivirus software that is not up-to-date, client systems that are not protected, etc. In addition many central reporting systems can be configured with triggers to warn security administrators when an infection has been detected on a client computer system. Security administrators will ensure that central reporting is configured with triggers to warn if an infection outbreak is occurring and will test the system with a dummy virus file from a security vendor to ensure that reporting is functioning correctly. 2. Containment: Once a malware threat has been carefully analyzed it needs to be effectively contained so that the infection will not continue to spread. The network team and security teams should work together closely to develop a strategy to halt malware propagation. Once the strategy has been outlined the procedures to contain the malware threat should be followed quickly and efficiently. Procedures to contain the threat may include:
A. Disable physical network access: Network access to infected systems should be disabled via administrative action or automatic shutdown of physical network ports. If network administrators are not immediately available, network hosts should be physically disconnected from the network by unplugging network communication cabling from the infected host system. B. Host, service, and application hardening: Vulnerable systems should be protected by applying service, application, and operating system patches as necessary. Additionally it may be help contain the malware threat by applying the latest threat definitions to host and network security software, to ensure that the threat is recognized and eliminated when it attempts to spread to additional systems. (See Section 3 – Eradication) C. Power off infected systems: It may be necessary to shutdown infected workstations and servers. Physically shutting down infected systems will eliminate the possibility for these systems to help spread the malware threat. D. Disable network services: Additionally, it may be necessary to shutdown network services being used by malware propagation engines. To shutdown network services it will likely be necessary to modify host, server, or network firewalls, and network routing devices. 3. Eradication: After analysis and containment of a malware outbreak the threat needs to be removed from all infected hosts. A variety or removal techniques may be employed to ensure that the malware has been eradicated. Procedures to remove the malware may include:
A. Scan with installed anti-malware software – Responders should first disable system restore software, boot into safe mode, and check the threat definition version of installed anti-malware software. If necessary, the latest threat definitions should be downloaded and copied to a removable disk. The removable disk should then be used to update the anti-malware software installed on the infected host. A full scan should be run to attempt to remove the threat. If the attempt is not successful the responder should proceed to the next removal procedure. B. Scan using software on removable media – If the threat can’t be removed using installed anti-malware software, a removable media containing anti-malware software should be used to try to remove the threat. Some removable disks provide boot functionality in the scenario where a host will not boot. Regardless, the boot environment should provide a level of functionality similar to safe mode where only critical operating system services are loaded. This reduces the possibility that the malware will be able to startup at system boot and run in protected memory areas. It may be necessary to try several removal tools to completely eradicate the infection. In the event that removal tools prove unsuccessful, responders should proceed to the next removal procedure. C. Restore from backup media – If the threat is not easily removed using conventional removal methods it may become necessary to restore the system from backup. The system storage containing the threat should be completely erased or overwritten using either a disk wipe utility or a full format. It may also be necessary to wipe the master
boot record for certain kinds of malware threats. With a clean disk the system can be reloaded from backup media. (See section 5 – Recovery) D. Reload operating system – In the event that a backup media set containing a bootable operating system does not exist or does not function correctly, the local disk of the infected host should be erased either with a full format or a disk wipe utility. The operating system can then be reloaded using the installation media. (See section 5 – Recovery) 4. Recovery: After the malware threat has been effectively eradicated from infected hosts the process of restoring the confidentiality, integrity, and availability of system software and data begins. This process may include all of the following procedures: A. Reinstall from installation media – In the event that a malware threat could not be removed it with software tools, and the local disk had to be erased to remove the threat, it may become necessary to reinstall the operating system from installation media. This may come involve loading the operating system from the original installation media or restoring from a base system image. This procedure may also include reinstalling application software if it is not included in your operating system installation media or system image. B. Restore from backup media – Once the system is in a healthy state you should begin restoring program data from backup media. If relevant you it may be necessary to run verification on the data to ensure that it was restored properly.
C. Validate system state – The host should have security software reinstalled and the application software should be tested to ensure that it functions properly. It may be necessary to restore network connectivity prior to testing application software. D. Restore network connectivity – Network communication should be restored to the host by enabling physical network ports and resetting automatic network threat protection measures as necessary. 5. Report: Following successful restoration of host, network, and applications services, security administrators and management should evaluate the effectiveness of security policies and controls, and determine if any changes need to be made. It may be necessary to update the malware response plan, the acceptable use policy, corporate security plans and response measures, etc.
