The Playbook

Once the incident is identified, quarantine the affected device and perform the mitigation actions aligned with the organizations’ best practices. In response to an alert about suspected malware, the following workflow kicks off.

1.   Get md5 and name of the suspect file and send it to a known malware database (Like VirusTotal).

1. If the md5 and file name matches a known malware, jump to step 3.

2. Get the file and send it to sandbox for analysis.

1. If the result of the sandbox confirms the infected file’s ability to communicate laterally or externally, jump to step 2c.
2. Jump to step 3.
3. Move the computer to an isolated vLAN.
4. Update the end user that his computer was infected and is under investigation.
5. Search reputation DB for the destination IP. *If the destination IP is a known malware or threat source, update the ACL to block any future connections to this   destination.

3. Scan all the computers on the networks (plus the isolated one) for the files and process from step 2.

4. Search SIEM (or end systems if no SIEM Available) for other potential servers that might have made contact to or communicated with the threat source identified in 2e.

5. If additional computers are found with the files, perform steps 2c – 2d for each infected computer.

6. Update antivirus software block file list with the filename and md5 to block any future attacks.

7. Update monitor list to include connection to the destination IP identified in step 2e in case of a dormant malware waking up to affect additional systems in the future.

8. Kill the malware process matched in step 3 as part of the remediation actions.)

9. Delete the files matched in step 3 as part of the remediation actions.

10. Make sure that no new connections to the destination IP were established from the isolated computers in the identified vLAN.

1. If no new connection started after step 8, add the computer back to the organization’s network and update the users that they can now return to their normal work.
2. If new connection started:

1. If from computer in the isolated vLAN, check which process started the connection and kill it and return to step 10.
2. If from computer not in the isolated vLAN, move the computer to isolated vLAN and jump back to step 8.

11. Search in the SIEM (or end systems if no SIEM Available) for first match of the file name and log it as source for reporting and documenting purposes.

12. Create a list of users whose systems were affected by the malware in step 3.

13. Create the report that contains:

·       Malware file name.

·       Malware md5.

·       Malware starting process.

·       Actions taken (step 2c-2e, i, 6-9).

·       List of infected computers (Step 3,5).

·       End communication (step 2e if exists).

·       List of all users infected by the malware (step 12).

·       Report: As identified in step 13.

·       Verification: As shown above in steps 1-4.

·       Human in the loop gathering information: Step 1-5, 11-12.

·       Actions: 2c-2e, 6-9.