Malware Incident

Response Plan

For

Malicious Software IAE 677 – Fall 2008

By

Daniel Simons

Nov. 18, 2008

1. Preparation:

A. Develop an acceptable use policy – An acceptable usage policy explains what

company computer assets should and should not be used for. This policy should be

distributed to all company employees. Identifying and discouraging activities that are not

work related will decrease the likelihood of malware infection. For instance, many of

the web sites that host malicious scripts do not typically fall into the category of sites

identified as being work related. Other activities which should be banned or closely

monitored include peer-to-peer file sharing and instant messaging. Both are breeding

grounds for malware and provide methods for users to circumvent security controls. In

addition, the majority of files hosted on peer-to-peer file sharing networks are often

protected by copyright laws, and may involve legal liability. Using work email systems

for personal purposes should also be kept to a minimum, reducing the possibility of users

opening unexpected email content, or forwarded messages from friends that may

contain harmful attachments. An acceptable usage policy should be drafted to

communicate the proper use of business systems. The policy should be carefully

reviewed by management and legal counsel to determine the effectiveness and legal

implications of the document. The policy will be distributed to all corporate employees.

B. Educate end users – It is equally important to provide adequate malware awareness

training to end users. Educating users about the dangers of opening unexpected or

suspicious email attachments, installing adware supported shareware software, running

malicious scripts from insecure web sites, using p2p file sharing, etc., is an essential step

to prevent the likelihood of a malware incident from occurring. Computer security

personnel will provide training to end users through a series of group training sessions,

through regular email bulletins reminding users about common security threats, and

through an as needed basis via the helpdesk incident reporting system.

C. Outbreak procedures –An appropriate type of response should be designed for the

varying degrees of infection frequency, the role of the infected host in relation to

business continuity, and the risk of replication. To meet these goals the detailed chart

below will help computer personnel identify the correct response type.

Infection Frequency: Critical Nature of Host: Risk of replication: Response Type:

<1-2% Low Low 1

<1-2% Low High 2

<1-2% High Low 2

<1-2% High High 3

2%+ Low Low 2

2%+ Low High 2

2%+ High Low 3

2%+ High High 3

The following classified response types provide procedural details to respond to malware

outbreaks and will be used by the appropriate computer personnel to address infections:

Response Type 1: Helpdesk personnel will contact a representative in the network team

to disable network access to the infected host to prevent the opportunity of the malware
infection to further spread throughout the network. (See section 3 – Containment) If a

representative of the network team is unavailable the helpdesk personnel will physically

disconnect the host from the network. The helpdesk personnel will ensure that the host

has current virus definitions, disable system restore, reboot the system in safe mode, and

launch a complete scan of the system. In the event that the malware has disabled

antivirus protection on the host, the helpdesk representative will use removable media

containing antivirus software to run a complete scan of the system. If the threat can’t be

removed with either of these methods the system will be backed up and the system will

be restored to the corporate image or last complete backup of the system. (See Section

4 – Eradication) The files that are backed up should be scanned on an isolated system and

restored once they are determined to be free from infection. (See Section 5 – Recovery)

Response Type 2: This response type is typically triggered when multiple users advise

the helpdesk of malware infection, or network/host security systems trigger an alert, or

when critical services begin functioning improperly. The network team should be

contacted immediately to determine how far the malware threat has spread, and how

critical the infected hosts are. If the infected hosts are not critical to business mission

continuity they should be disconnected from the network via administrative action.

Once the risk of propagation has been halted, the response type should be reduced to

response type 1. If the infected hosts are critical to business mission continuity, the

network team should consult the disaster recovery / business continuity plan and

determine how to proceed. The network team should also contact the security team to

review the propagation methods and payload factors of the malware. Proper precaution
should be taken to ensure that the threat does not spread to other systems. (See section

3 – Containment) This may include segregating network systems as needed or applying

host hardening procedures. Once the risk of propagation has been contained the

network team should follow planned failover procedures for migrating services to a

hot/warm/cold site or restoring critical systems from backup media as necessary. (See

Section 5 – Recovery)

Response Type 3 – This response type is only triggered when critical business systems

have become infected. The network and security teams should work together closely to

identify how the malware spreads and what damaging payload it carries. The primary

goal should be to protect critical business information and restore service as soon as

possible. Containment of infected systems may require a temporary shutdown of critical

services. Vulnerable hosts that have not been infected should be protected by following

security advisories to mitigate the risk of infection. (See section 3 – Containment) Once

the malware threat has been contained the network team should begin the process of

recovery by following planned failover procedures for migrating services to a

hot/warm/cold site or restoring critical systems from backup media as necessary. (See

Section 5 – Recovery) Once service has been restored any hosts that remain infected

should be cleaned by following eradication procedures. (See Section 4 – Eradication)

Detection and analysis:

A. Install client security software - A corner stone of detecting malware and virus threats

is installing host based antivirus protection on all client computer systems. Host based

protection relies upon a subscription service from a corporate security firm and detects
malware based on a variety of methods. Traditional antivirus scanners rely on signature

based protection. Many modern day security suites provide a variety of detection

methods such as network threat protection (IDS), identification of suspicious virus

activity (heuristics), and a basic to advanced host firewall. All corporate computer

systems should have client security software installed, configured with the latest

updates, and have a strategy for retrieving updates in a timely manner.

B. Malware and vulnerability awareness –Even with adequate security controls malware

may still go undetected due to the colossal number of security threats discovered on a

daily basis. The time gap between vulnerability identification and threats that exploit

vulnerabilities is narrowing at an alarming basis. Zero day threats are threats that are

exploited near the same time that security vulnerabilities are discovered. It is

increasingly likely that such threats will outpace security software. To counteract this

threat designated computer security personnel should subscribe to and read the latest

malware threat and vulnerability advisories. In addition, computer security

administrators will deploy and configure one or more hosts, in isolated network

segments, with minimal protection for the purpose of providing an easy target for

security threats. Such a host is commonly called a honey-pot and is useful in discovering

current malware trends and weaknesses in network controls.

C. Install network threat detection - In addition to antivirus and anti-spyware software

there are a number of other methods to help with early detection of malware threats.

Today it is common to find firewalls and other perimeter network security devices that

provide a variety of security services, and are often marketed as unified threat
 management devices. So called UTM devices have built-in malware detection systems

that like traditional antivirus products use subscription services to provide the latest

protection against new malware threats. By detecting malware threats at the perimeter,

threats can be detected and quarantined before they ever enter the protected network.

Security administrators will deploy network threat detection systems to help provide

both an early warning system and a first layer of defense against malware threats.

D. Configure central reporting - A central reporting system is essential to help provide

early warning of a malware threat. Most corporate antivirus solutions provide central

reporting that is capable of generating custom reports based on infection outbreaks,

antivirus software that is not up-to-date, client systems that are not protected, etc. In

addition many central reporting systems can be configured with triggers to warn security

administrators when an infection has been detected on a client computer system.

Security administrators will ensure that central reporting is configured with triggers to

warn if an infection outbreak is occurring and will test the system with a dummy virus file

from a security vendor to ensure that reporting is functioning correctly.

2. Containment: Once a malware threat has been carefully analyzed it needs to be

effectively contained so that the infection will not continue to spread. The network team

and security teams should work together closely to develop a strategy to halt malware

propagation. Once the strategy has been outlined the procedures to contain the

malware threat should be followed quickly and efficiently. Procedures to contain the

threat may include:

 A. Disable physical network access: Network access to infected systems should be

disabled via administrative action or automatic shutdown of physical network ports. If

network administrators are not immediately available, network hosts should be

physically disconnected from the network by unplugging network communication cabling

from the infected host system.

B. Host, service, and application hardening: Vulnerable systems should be protected by

applying service, application, and operating system patches as necessary. Additionally it

may be help contain the malware threat by applying the latest threat definitions to host

and network security software, to ensure that the threat is recognized and eliminated

when it attempts to spread to additional systems. (See Section 3 – Eradication)

C. Power off infected systems: It may be necessary to shutdown infected workstations

and servers. Physically shutting down infected systems will eliminate the possibility for

these systems to help spread the malware threat.

D. Disable network services: Additionally, it may be necessary to shutdown network

services being used by malware propagation engines. To shutdown network services it

will likely be necessary to modify host, server, or network firewalls, and network routing

devices.

3. Eradication: After analysis and containment of a malware outbreak the threat needs to

be removed from all infected hosts. A variety or removal techniques may be employed

to ensure that the malware has been eradicated. Procedures to remove the malware

may include:
A. Scan with installed anti-malware software – Responders should first disable system

restore software, boot into safe mode, and check the threat definition version of

installed anti-malware software. If necessary, the latest threat definitions should be

downloaded and copied to a removable disk. The removable disk should then be used to

update the anti-malware software installed on the infected host. A full scan should be

run to attempt to remove the threat. If the attempt is not successful the responder

should proceed to the next removal procedure.

B. Scan using software on removable media – If the threat can’t be removed using

installed anti-malware software, a removable media containing anti-malware software

should be used to try to remove the threat. Some removable disks provide boot

functionality in the scenario where a host will not boot. Regardless, the boot

environment should provide a level of functionality similar to safe mode where only

critical operating system services are loaded. This reduces the possibility that the

malware will be able to startup at system boot and run in protected memory areas. It

may be necessary to try several removal tools to completely eradicate the infection. In

the event that removal tools prove unsuccessful, responders should proceed to the next

removal procedure.

C. Restore from backup media – If the threat is not easily removed using conventional

removal methods it may become necessary to restore the system from backup. The

system storage containing the threat should be completely erased or overwritten using

either a disk wipe utility or a full format. It may also be necessary to wipe the master
 boot record for certain kinds of malware threats. With a clean disk the system can be

reloaded from backup media. (See section 5 – Recovery)

D. Reload operating system – In the event that a backup media set containing a bootable

operating system does not exist or does not function correctly, the local disk of the

infected host should be erased either with a full format or a disk wipe utility. The

operating system can then be reloaded using the installation media. (See section 5 –

Recovery)

4. Recovery: After the malware threat has been effectively eradicated from infected hosts

the process of restoring the confidentiality, integrity, and availability of system software

and data begins. This process may include all of the following procedures:

A. Reinstall from installation media – In the event that a malware threat could not be

removed it with software tools, and the local disk had to be erased to remove the threat,

it may become necessary to reinstall the operating system from installation media. This

may come involve loading the operating system from the original installation media or

restoring from a base system image. This procedure may also include reinstalling

application software if it is not included in your operating system installation media or

system image.

B. Restore from backup media – Once the system is in a healthy state you should begin

restoring program data from backup media. If relevant you it may be necessary to run

verification on the data to ensure that it was restored properly.

 C. Validate system state – The host should have security software reinstalled and the

application software should be tested to ensure that it functions properly. It may be

necessary to restore network connectivity prior to testing application software.

D. Restore network connectivity – Network communication should be restored to the

host by enabling physical network ports and resetting automatic network threat

protection measures as necessary.

5. Report: Following successful restoration of host, network, and applications services,

security administrators and management should evaluate the effectiveness of security

policies and controls, and determine if any changes need to be made. It may be

necessary to update the malware response plan, the acceptable use policy, corporate

security plans and response measures, etc.