Page 41 - cdm-2014
P. 41
•If team members can gain access to the actual malware and have the skills and tools, they
should begin to analyze it to determine how it got in, how it is behaving, how it is spreading and
if it has exfiltrated any data.
•Even without the ability to directly do malware analysis, the team should examine any
compromised devices to determine IOCs in order to search other hosts for signs of exploit.
•Collect and correlate log data from as many sources as available, including server logs, firewall
and IDS/IPS logs and flow data, to gather more details about what happened and determine if
other hosts are infected.
Time is of the essence. Given the amount of work and expertise required, many organizations
decide to hire professional services or other technical specialists to supplement the in-house
team. Each organization must determine the feasibility of this approach and should establish a
relationship with a trusted partner prior to any potential incident.
2. To Contain or Not to Contain?
Once an organization has identified the nature, extent and severity of the attack, team members
are faced with two options – contain it or proceed directly to removal. Traditional incident
response plans recommend that the team contain and stop the attack. This involves:
•Quarantining the compromised host(s) or system(s) or disabling certain functions.
•Removing user access or login to the system.
•Determining the access point and blocking it to prevent ongoing damage.
Containment is appropriate when dealing with a ‘drive-by’ type attack in which a virus or other
rudimentary threat is introduced and the attacker quickly moves on to the next victim.
However, in the case of advanced malware or an APT that watches and alters its techniques
depending on the organization’s reaction, the more effective approach could be to proceed
directly to step three and coordinate the removal phase. Quarantining systems, disabling some
of the system’s functions and blocking access immediately indicate to the attacker that the
organization suspects an attack. Using time as an advantage, the attacker will simply lay
dormant within the environment and wait to launch at a point in the future, or alter attack
methods such that they are no longer detectable and continue on the mission.
3. Remove and Recover
Whether the team chooses to contain the attack or not, thoroughly removing the threat is critical
to reduce the risk of reinfection and regain normal operations. This is particularly important
when dealing with an APT that will simply move elsewhere in the network and attack again,
requiring an organization to repeat this entire process. The time and costs of mitigating and
recovering from malware attacks is significant. According to a 2013 report from Solutionary,
organizations are spending up to 30 days to recover from malware attacks, at a cost of over
! " $ !
! # ! "
