Action Steps for Threats against Malware
Description of Crisis
Cyber attacks can take many forms: malware, Phishing, Man-in-the-middle, Denial-of-service, SQL injection, Zero-day exploit, and DNS Tunneling. The most common types of Malware are viruses, worms, Trojan horses, spyware, adware, and ransomware.
Objective
To efficiently respond to and mitigate the effects of a malware attack.
Scenario: Users' Systems are Infected with Malware
Action Steps
Pre-Crisis
- Review the Crisis Management Plan to keep it updated
- Keep Corporate Call-Tree updated whenever staff movement
- Maintain Risk Controls and Scan the environment
- Continually identify risk and potential crisis scenarios
- Subscribe to cybersecurity agency, if applicable [e.g. Cybersecurity Malaysia, SingCERT, CSA Singapore]
- Educate staff on Cyber Security and compliance continually
- Update and maintain BC plans and IT DR plans
- Conduct table-top exercises for the CM Plan at least once a year
During-Crisis
- Ensure the Incident Management Team assesses cyber attacks' complexity, extent, and impact.
- Prepare to escalate to CMT by the Incident Manager
- Advise CMT to determine if it fits the crisis scenario and execute the CM Plan
- Prepare to execute internal messaging to activate the call tree for stakeholders: SME, functional heads, SOC, etc.
- Execute crisis communication plan
- Inform/ update the users/ customers affected.
- Inform/ update higher management and follow the corporate escalation process.
- communicate with customers on service affected
Activate the Command Centre
- Activate the Bridge to have all key stakeholders in the conference
- Ensure Command Centre members log discussions/decisions and actions taken with a timestamp of the activities and update the progress status of resolutions
- Activate key support vendors SMEs and work in tandem with the IM Team
- Determine and agree with the Exit Criteria
- Involve company legal and internal CISO in case of data breach
- Resolution
- Isolate network to contain the situation
- Use the tools vendors provide to clean and remove the malware, ransomware, etc., on the systems affected.
- If the system cannot be recovered, restore from the last known good backup
- Rescan the network and systems with the latest scan engine to ensure systems are free from malware
- Release affected and recovered systems for user testing
- Conduct forensic investigation on the malware/ransomware
Post-Crisis
- Confirm that the exit criteria are being achieved and accepted by the user/ customer.
- Submit formal crisis reports to management and relevant agencies, e.g. regulators.
- Provide the post-crisis evaluation and lessons learnt
- Maintain a checklist for any referencing needed later
- Review the crisis internally to determine if there are gaps that need to be worked on
- Recommend any enhancement to the necessary infrastructure to strengthen the security defence further
- Determine if any service credits or claims that need to be addressed with users
More Information About Crisis Management Courses
To learn more about the course and schedule, click the buttons below for the CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].
|
|
|
|
|
|
|
|
Please feel free to send us a note if you have any questions.
|
|
|
|
|
|