Playbook for Incident Response to Threats Against Malware

Action Steps for Threats against Malware

Description of Crisis

Cyber attacks can take many forms: malware, Phishing, Man-in-the-middle, Denial-of-service, SQL injection, Zero-day exploit, and DNS Tunneling. The most common types of Malware are viruses, worms, Trojan horses, spyware, adware, and ransomware.

Objective

To efficiently respond to and mitigate the effects of a malware attack.

Scenario: Users' Systems are Infected with Malware

Action Steps

Pre-Crisis

Review the Crisis Management Plan to keep it updated
Keep Corporate Call-Tree updated whenever staff movement
Maintain Risk Controls and Scan the environment
- Continually identify risk and potential crisis scenarios
Subscribe to cybersecurity agency, if applicable [e.g. Cybersecurity Malaysia, SingCERT, CSA Singapore]
Educate staff on Cyber Security and compliance continually
Update and maintain BC plans and IT DR plans
Conduct table-top exercises for the CM Plan at least once a year

During-Crisis

Ensure the Incident Management Team assesses cyber attacks' complexity, extent, and impact.
Prepare to escalate to CMT by the Incident Manager
Advise CMT to determine if it fits the crisis scenario and execute the CM Plan
Prepare to execute internal messaging to activate the call tree for stakeholders: SME, functional heads, SOC, etc.
Execute crisis communication plan
- Inform/ update the users/ customers affected.
- Inform/ update higher management and follow the corporate escalation process.
- communicate with customers on service affected

Activate the Command Centre

Activate the Bridge to have all key stakeholders in the conference
Ensure Command Centre members log discussions/decisions and actions taken with a timestamp of the activities and update the progress status of resolutions
Activate key support vendors SMEs and work in tandem with the IM Team
- Determine and agree with the Exit Criteria
- Involve company legal and internal CISO in case of data breach
- Resolution
  - Isolate network to contain the situation
  - Use the tools vendors provide to clean and remove the malware, ransomware, etc., on the systems affected.
  - If the system cannot be recovered, restore from the last known good backup
  - Rescan the network and systems with the latest scan engine to ensure systems are free from malware
  - Release affected and recovered systems for user testing
  - Conduct forensic investigation on the malware/ransomware

Post-Crisis

Confirm that the exit criteria are being achieved and accepted by the user/ customer.
Submit formal crisis reports to management and relevant agencies, e.g. regulators.
Provide the post-crisis evaluation and lessons learnt
Maintain a checklist for any referencing needed later
Review the crisis internally to determine if there are gaps that need to be worked on
Recommend any enhancement to the necessary infrastructure to strengthen the security defence further
Determine if any service credits or claims that need to be addressed with users

More Information About Crisis Management Courses

To learn more about the course and schedule, click the buttons below for the CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].