Beruflich Dokumente
Kultur Dokumente
Response Plan
For
By
Daniel Simons
company computer assets should and should not be used for. This policy should be
distributed to all company employees. Identifying and discouraging activities that are not
work related will decrease the likelihood of malware infection. For instance, many of
the web sites that host malicious scripts do not typically fall into the category of sites
identified as being work related. Other activities which should be banned or closely
monitored include peer-to-peer file sharing and instant messaging. Both are breeding
grounds for malware and provide methods for users to circumvent security controls. In
addition, the majority of files hosted on peer-to-peer file sharing networks are often
protected by copyright laws, and may involve legal liability. Using work email systems
for personal purposes should also be kept to a minimum, reducing the possibility of users
opening unexpected email content, or forwarded messages from friends that may
communicate the proper use of business systems. The policy should be carefully
reviewed by management and legal counsel to determine the effectiveness and legal
implications of the document. The policy will be distributed to all corporate employees.
training to end users. Educating users about the dangers of opening unexpected or
malicious scripts from insecure web sites, using p2p file sharing, etc., is an essential step
through regular email bulletins reminding users about common security threats, and
C. Outbreak procedures –An appropriate type of response should be designed for the
varying degrees of infection frequency, the role of the infected host in relation to
business continuity, and the risk of replication. To meet these goals the detailed chart
below will help computer personnel identify the correct response type.
The following classified response types provide procedural details to respond to malware
outbreaks and will be used by the appropriate computer personnel to address infections:
Response Type 1: Helpdesk personnel will contact a representative in the network team
to disable network access to the infected host to prevent the opportunity of the malware
infection to further spread throughout the network. (See section 3 – Containment) If a
representative of the network team is unavailable the helpdesk personnel will physically
disconnect the host from the network. The helpdesk personnel will ensure that the host
has current virus definitions, disable system restore, reboot the system in safe mode, and
launch a complete scan of the system. In the event that the malware has disabled
antivirus protection on the host, the helpdesk representative will use removable media
containing antivirus software to run a complete scan of the system. If the threat can’t be
removed with either of these methods the system will be backed up and the system will
be restored to the corporate image or last complete backup of the system. (See Section
4 – Eradication) The files that are backed up should be scanned on an isolated system and
restored once they are determined to be free from infection. (See Section 5 – Recovery)
Response Type 2: This response type is typically triggered when multiple users advise
when critical services begin functioning improperly. The network team should be
contacted immediately to determine how far the malware threat has spread, and how
critical the infected hosts are. If the infected hosts are not critical to business mission
continuity they should be disconnected from the network via administrative action.
Once the risk of propagation has been halted, the response type should be reduced to
response type 1. If the infected hosts are critical to business mission continuity, the
network team should consult the disaster recovery / business continuity plan and
determine how to proceed. The network team should also contact the security team to
review the propagation methods and payload factors of the malware. Proper precaution
should be taken to ensure that the threat does not spread to other systems. (See section
host hardening procedures. Once the risk of propagation has been contained the
network team should follow planned failover procedures for migrating services to a
hot/warm/cold site or restoring critical systems from backup media as necessary. (See
Section 5 – Recovery)
Response Type 3 – This response type is only triggered when critical business systems
have become infected. The network and security teams should work together closely to
identify how the malware spreads and what damaging payload it carries. The primary
goal should be to protect critical business information and restore service as soon as
services. Vulnerable hosts that have not been infected should be protected by following
security advisories to mitigate the risk of infection. (See section 3 – Containment) Once
the malware threat has been contained the network team should begin the process of
hot/warm/cold site or restoring critical systems from backup media as necessary. (See
Section 5 – Recovery) Once service has been restored any hosts that remain infected
A. Install client security software - A corner stone of detecting malware and virus threats
is installing host based antivirus protection on all client computer systems. Host based
protection relies upon a subscription service from a corporate security firm and detects
malware based on a variety of methods. Traditional antivirus scanners rely on signature
based protection. Many modern day security suites provide a variety of detection
activity (heuristics), and a basic to advanced host firewall. All corporate computer
systems should have client security software installed, configured with the latest
B. Malware and vulnerability awareness –Even with adequate security controls malware
may still go undetected due to the colossal number of security threats discovered on a
daily basis. The time gap between vulnerability identification and threats that exploit
vulnerabilities is narrowing at an alarming basis. Zero day threats are threats that are
exploited near the same time that security vulnerabilities are discovered. It is
increasingly likely that such threats will outpace security software. To counteract this
threat designated computer security personnel should subscribe to and read the latest
administrators will deploy and configure one or more hosts, in isolated network
segments, with minimal protection for the purpose of providing an easy target for
security threats. Such a host is commonly called a honey-pot and is useful in discovering
there are a number of other methods to help with early detection of malware threats.
Today it is common to find firewalls and other perimeter network security devices that
provide a variety of security services, and are often marketed as unified threat
management devices. So called UTM devices have built-in malware detection systems
that like traditional antivirus products use subscription services to provide the latest
protection against new malware threats. By detecting malware threats at the perimeter,
threats can be detected and quarantined before they ever enter the protected network.
Security administrators will deploy network threat detection systems to help provide
both an early warning system and a first layer of defense against malware threats.
early warning of a malware threat. Most corporate antivirus solutions provide central
antivirus software that is not up-to-date, client systems that are not protected, etc. In
addition many central reporting systems can be configured with triggers to warn security
Security administrators will ensure that central reporting is configured with triggers to
warn if an infection outbreak is occurring and will test the system with a dummy virus file
effectively contained so that the infection will not continue to spread. The network team
and security teams should work together closely to develop a strategy to halt malware
propagation. Once the strategy has been outlined the procedures to contain the
malware threat should be followed quickly and efficiently. Procedures to contain the
may be help contain the malware threat by applying the latest threat definitions to host
and network security software, to ensure that the threat is recognized and eliminated
and servers. Physically shutting down infected systems will eliminate the possibility for
will likely be necessary to modify host, server, or network firewalls, and network routing
devices.
3. Eradication: After analysis and containment of a malware outbreak the threat needs to
be removed from all infected hosts. A variety or removal techniques may be employed
to ensure that the malware has been eradicated. Procedures to remove the malware
may include:
A. Scan with installed anti-malware software – Responders should first disable system
restore software, boot into safe mode, and check the threat definition version of
downloaded and copied to a removable disk. The removable disk should then be used to
update the anti-malware software installed on the infected host. A full scan should be
run to attempt to remove the threat. If the attempt is not successful the responder
B. Scan using software on removable media – If the threat can’t be removed using
should be used to try to remove the threat. Some removable disks provide boot
functionality in the scenario where a host will not boot. Regardless, the boot
environment should provide a level of functionality similar to safe mode where only
critical operating system services are loaded. This reduces the possibility that the
malware will be able to startup at system boot and run in protected memory areas. It
may be necessary to try several removal tools to completely eradicate the infection. In
the event that removal tools prove unsuccessful, responders should proceed to the next
removal procedure.
C. Restore from backup media – If the threat is not easily removed using conventional
removal methods it may become necessary to restore the system from backup. The
system storage containing the threat should be completely erased or overwritten using
either a disk wipe utility or a full format. It may also be necessary to wipe the master
boot record for certain kinds of malware threats. With a clean disk the system can be
D. Reload operating system – In the event that a backup media set containing a bootable
operating system does not exist or does not function correctly, the local disk of the
infected host should be erased either with a full format or a disk wipe utility. The
operating system can then be reloaded using the installation media. (See section 5 –
Recovery)
4. Recovery: After the malware threat has been effectively eradicated from infected hosts
the process of restoring the confidentiality, integrity, and availability of system software
and data begins. This process may include all of the following procedures:
A. Reinstall from installation media – In the event that a malware threat could not be
removed it with software tools, and the local disk had to be erased to remove the threat,
it may become necessary to reinstall the operating system from installation media. This
may come involve loading the operating system from the original installation media or
restoring from a base system image. This procedure may also include reinstalling
system image.
B. Restore from backup media – Once the system is in a healthy state you should begin
restoring program data from backup media. If relevant you it may be necessary to run
host by enabling physical network ports and resetting automatic network threat
policies and controls, and determine if any changes need to be made. It may be
necessary to update the malware response plan, the acceptable use policy, corporate