Handling Malware Outbreak
Given that attackers are now moving away from attacks that are merely a nuisance or destructive towards activity that is motivated by financial gain, malware attacks have become more sophisticated and a significant concern to organisations. A large-scale malware attack, often referred to as a malware outbreak, can cause widespread damage and disruption to an organisation, and necessitate extensive recovery time and effort. It is therefore crucial to implement adequate preventive measures, such as deploying protection and detection tools, to safeguard an organisation from malware attacks.
However, there is no such thing as bulletproof protection in the world of information security. It is also important that the organisation develop a robust information security incident procedure so that personnel are better prepared to handle malware outbreaks in a more organised, efficient and effective manner.
As defined in the Security Incident Handling for Company section, an incident response process should have three main stages: "Planning and Preparation", "Response" and "Aftermath". This section outlines the steps in the stages "Response" and "Aftermath" which are important to the complete handling of a malware outbreak. For more information about the "Planning and Preparation" stage, please refer to the section "Security Incident Handling for Company" mentioned above.
The "Response" Stage consists of the following five steps:
Determine fully if a malware outbreak has occurred.
The objective of this step is to determine whether a malware outbreak has occurred. Typical indications of a malware outbreak include any or all the following:
Upon discovery of any of the above symptoms, IT staff should immediately check and validate all suspicious activity to determine if an outbreak has occurred. Once it is confirmed that this is a malware security breach, it is important to collect information about the malware, as this will be essential for the containment and eradication process.
Information about the malware can be obtained from anti-malware software vendors' websites if the malware has been around for some time, by reviewing alerts from anti-malware software, by examining firewall and router log files. The following questions can help identify the characteristics of the malware:
Perform preliminary assessments
Once an outbreak is identified, IT staff should assess the scope, damage and impact of the outbreak in order to effectively deal with it.
Record all actions taken
IT staff should record all actions taken to deal with the outbreak and any corresponding results. This can facilitate incident identification and assessment, and provide evidence for prosecution or other useful information for subsequent incident handling stages. Logging should be carried out throughout the whole security incident response process.
The second step in incident response is to notify all appropriate parties and escalate the incident to the appropriate level following a predefined escalation procedure. The information provided during the escalation process should be clear, concise, accurate and factual. Providing inaccurate, misleading or incomplete information may hinder the response process or may even worsen the situation. It is crucial to bear in mind that information about incident should be disclosed only on a need to know basis.
The third step of response to a malware incident is containment. The following are activities that should be carried out in the containment stage:
Clearly identifying the infected systems is always the first step in containment. Unfortunately it is also a very complicated process due to the dynamic nature of today's IT environment. The following are some suggestions that may help identify infected systems in a managed environment:
Containing the outbreak can be done in various ways; the following are common tactics:
Containing the spread of the malware can be done with automated tools, such as anti-malware software, IDS and IPS. If the malware is not detected by existing anti-malware protection systems, even with the latest definition applied, support from anti-malware software vendors should be sought to create a new definition which covers the malware.
A malware outbreak can be effectively contained by quickly disconnecting infected systems from the overall network infrastructure, which can be accomplished by applying access controls on network devices or physically disconnecting network cables. In some cases, in order to contain the spread of malware to other sections of the organisation, it may be necessary to temporarily disconnect the network segments concerned from the network backbone. However, this containment strategy will certainly affect the operation of other non-infected systems in the segment.
Malware may propagate through network services, for example network shared drives. Temporarily blocking or even shutting down the network services used by malwares helps to contain incidents.
Malware may spread by attacking vulnerable network services. By addressing the vulnerabilities that have been exploited by the malware, such as applying security patches on vulnerable systems, the propagation channels can be eliminated, hence containing the spread. In addition, some mis-configuration, such as loose access controls on network-shared drives, can also be leveraged by malware. By rectifying any mis-configurations, the spread of a malware can be contained.
User participation is significant to the containment process in an environment where only a limited number of technical support staff are available to handle an outbreak, for example in small remote branch offices or in a non-managed office environment. Users should be provided with clear instructions on how to identify infections and what measures should be taken if a system is confirmed infected, such as running the anti-malware removal tools on the infected system.
It is important to keep a solid record of all actions taken at this stage, because some containment measures may require temporary modifications to the configuration or settings of network infrastructure and systems. These modifications will need to be removed after the incident.
It is important to understand that stopping further infection by the malware does not necessarily prevent the further damage to infected systems. For instance, the infection can be contained through disabling network connectivity. Yet, the malware may be still actively deleting files on the infected system. Therefore, a full eradication process should be carried out as soon as possible or in parallel with the containment process.
Eradicating a malware outbreak should be designed to remove the malware from all infected systems and media, and rectify the cause of the infection. Prior to carrying out the eradication process, it is advisable to collect all necessary information, including all log files, which may have to be deleted or reset during the clean up process, which will be useful in subsequent investigations.
Anti-malware scanning software and removal tools are commonly used as the primary means of eradication. However, in some cases, it may be necessary to rebuild infected systems from scratch. For instance, if the malware has downloaded and planted a backdoor on infected systems, rebuilding all systems may be the most reliable action to be taken in order to restore the integrity of the systems. Rebuilding a system generally includes the following actions:
Clearly, the main purpose of the recovery step is to restore all systems to normal operation. In a malware outbreak, recovering the functionality and data of infected systems may have already been carried as part of the eradication process. Apart from restoring the infected systems, removing any temporary containment measures, such suspended network connections, is another main aspect of the recovery process.
Prior to removal of the containment measures, one important step is a pre-production security risk assessment to ensure that no infection is detected, and that the cause of the original infection is rectified.
All related parties should be notified before the resumption of suspended services. IT personnel should restore specific functions and servers stage by stage, in a controlled manner, and in the order of demand, e.g. the most essential services or those serving the majority should resume first. After resuming the suspended services, it is important to verify that the restoration operation has been successful and that all services are back to normal operation. Additional monitoring measures may be implemented to watch for any suspicious activity in the network segments concerned.
Restoring infected systems to normal operation does not mark the end of a malware outbreak. It is also important to perform necessary follow up action. This may include full evaluation of the damage caused, system refinements to prevent recurrence of the incident, updates to security policies and procedures, and investigation of the case for subsequent prosecution. Activities in this stage can include the following: