7 Steps of a Complete Malware Incident Response Plan

Incident Response Plan

As malware becomes more advanced and prolific, a new approach is necessary to stop infections from becoming full-blown security incidents, like ransomware (an increasingly common follow-on attack leveraging infostealer-siphoned access data). Infostealers have become so sophisticated that not only can they infect systems undetected and steal authentication information including credentials and web session cookies, but some strains are able to infect a machine, siphon information, and remove itself in under 10 seconds. With this dissolvable malware, bad actors steal virtually everything that can be used to gain access to enterprise networks, steal and encrypt files, and launch costly ransomware attacks.

To properly remediate the risks associated with malware infections, the response must go beyond wiping the device. Historically malware infection response has been machine-centric, focusing on identifying the malware, removing the infection, and reimaging the device. However, this approach ignores a major factor when it comes to the malware infection itself: addressing the stolen credentials and cookies that allow criminals to bypass MFA, access critical workforce applications, and steal data that aids follow-on attacks.

SOC teams must now take an identity-centric approach to their malware response. Ensuring the device is cleaned and the malware is removed is definitely necessary, but that doesn’t do anything to address the stolen data that ends up being traded and sold on the criminal underground. Taking additional steps that shift your infection response paradigm to one that’s identity-centric can mitigate organizational risk from exposures tied to the malware victim’s identity, and minimize the impact this compromised data and access can have on your business, while also thwarting potential ransomware attacks.

7 Steps to Fully Remediate Malware Infections

The following steps are an addendum to your malware infection response plan to make for a more comprehensive approach to remediation, and can be incorporated into your existing cyber incident response runbooks.
Step
Isolate the Device

If the detected infection has occurred on a device your organization manages, disable the network access of the infected endpoint to help prevent potential lateral movement. This access can often be restricted using the quarantine features of an Endpoint Detection and Response (EDR) solution, through the corporate domain, VPN and/or SASE configuration, or may sometimes require an individual to manually disable network access. If your organization uses asset tags on corporate devices, be sure employees know they can call the listed phone number if they are locked out of their device and unsure of what to do. If you don’t use asset tags, incorporate them going forward and be sure they include a corporate “disaster recovery” phone number.

Step
Identify the Type, Scope, and Timeline of the Infection

If you have access to the system, it is highly recommended to review endpoint security logs or run a modern antivirus solution to detect the specific malware family involved. Once the malware type has been identified, consult security tools, such as VirusTotal, to confirm the typical behavior of this malware and the risk it brings to your organization.

Modern malware is often immune to traditional methods of identification through Indicators of Compromise (IOCs) like hash values, as executable files are often unique to each victim and Command and Control (C2) infrastructure may be dynamic and rotate quickly. You may also need to include behavior-based detection, such as validated YARA rules, in your detection process.

Many malicious programs will attempt to spread across local domains or networks and infect other devices. Closely review the networked devices and file systems that the user and device had access to, forming an action plan to determine if, and when, the actor attempted to access other corporate resources. If you suspect lateral movement, consider expanding your scope during the isolation process.

Step
Create an Image of the Infected System
If this infection becomes a point of concern in a follow-on attack, it will be extremely useful to have an image of the entire system disk. Once the device has been isolated from the network, create a system image. This can be used in follow-on forensic analysis, should it be required.
Step
Remove the Malware - If Possible

Use your company-sanctioned detection and remediation tools to remove potentially side-loaded, persistent malware like Cobalt Strike beacons. And while you also have the option of recovering or reinstalling the operating system, it may be best to reformat the hard disk and perform a fresh installation of the operating system or reimage the computer.

Some forms of malware, like the dissolvable, asymptomatic malware we mentioned earlier, are sophisticated and even harder to detect. If this type of infection occurs, the malware may have already removed itself from the device, but you will still need to remediate the exposed user and applications.

Oftentimes, this would be where SOC teams would conclude their actions for tickets related to malware infections. However, Post-Infection Remediation provides a framework of additional steps to existing incident response security protocols, designed to negate opportunities for ransomware and other critical threats by resetting the application credentials and invalidating session cookies siphoned by infostealer malware.

Step
Reset Passwords and Usernames for Affected Applications

Ensure the employee signs out of all devices – particularly on corporate applications which may have privileged access into your domain. Ask the employee to use a device that hasn’t been affected by the malware to immediately reset their passwords for applications whose credentials were siphoned by the malware. Advise the employee to never use a compromised password or any variation of it again and be sure to set a unique, complex password for each application (preferably using a company-provided password manager).

If possible for high-profile users, consider the laborious effort to change compromised employee SSO usernames to reduce the impact of a potential password familiar to the threat actor from being reused by that employee in the future.

Step
Invalidate Sessions

In addition to stealing credentials, infostealer malware also siphons device and web session cookies, potentially leaving the victim’s accounts vulnerable to session hijacking through device impersonation. Changing the application password does not guarantee active user sessions or trusted device tokens will be invalidated. It may be necessary to contact the third-party cloud service provider and request that the compromised user sessions be invalidated.

Step
Review the Integrity of Impacted Applications

Starting with the list of impacted applications outlined in steps 5 and 6, review all activity and access logs for the associated users within these applications. Confirm all detected activity is coming from expected IP address ranges and geographies, and all behavior fits the expected profile of the user.

Similar analysis should be performed for all associated domain users. Any access to sensitive data, whether it is expected or not, should be closely scrutinized and if it is determined to be unexpected, should be treated as an incident and run through the company’s cyber incident response process and protocols.

The Importance of Post-Infection Remediation as Part of Cyber Incident Response Plans

Optimized remediation enables the SOC to seamlessly and comprehensively neutralize the risk of ransomware that can result from malware exposures, thus addressing a common blind spot in ransomware prevention strategies.

This approach to more complete malware infection response is enabled by SpyCloud Compass. SpyCloud alerts security teams each time a malware infection arises on a device accessing your workforce applications, whether the device is corporate-issued or unmanaged. The alerts deliver definitive evidence of entry points to your organization: detailed information about the infected device, along with the siphoned authentication details for the applications that matter to your business – password managers, security tools, marketing and customer databases, learning and collaboration applications, and HR and payroll systems, to name a few.

Having visibility into data siphoned from employee, vendor and contractor machines infected with infostealers allows SOC teams to effectively close this entry point into their organization, which reduces the enterprise’s risk of ransomware attacks. With Post-Infection Remediation, the required action becomes clear to reset the credentials and invalidate the sessions for every exposed application and user.

By incorporating Post-Infection Remediation as part of your malware-infection response, SOC teams can:

Download the definitive guide on how proper Post-Infection Remediation can help security teams move beyond a false sense of security to true enterprise risk reduction.
Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

[JUST RELEASED] 2023 Ransomware Defense Report highlights infostealers as precursors to future attacks. Download Now

X