A business falls victim to a malware attack every 14 seconds.

(Source: 2019 ACR)

A malware attack is the injection of malicious software into your network. Typically, malware gets into a network due to human error such as an employee accidentally clicking on a malicious link or email attachment. Some of the most common and dangerous types of malware attacks are ransomware and spyware; however, any type of malware attack can be devastating to an organization, especially if you’re not prepared.

Cybercriminals love organizations that aren’t prepared for an attack. If your organization has no established security incident response plan in-place then you’ll have to scramble to come up with a solution while the attack is on-going. A thrown-together solution is less likely to be successful and will cost more than a solution your organization has created far in advance.

Your IT department should have a security incident response plan in-place for a malware attack, and any other predicable security event, far before you need to use it. If you aren’t sure what a security incident response plan is or how to create one then check out this blog covering the topic. Below you’ll find an example of a security incident response plan for a malware attack.

Security Incident Response Plan For a Malware Attack

IT Security Incident Response Plan

Detect

  • An alert will be generated and communicated to the response team via email, SMS and on-screen pop-ups. (generated from AV, firewall, SEIM)
  • Person reporting problems accessing information or via an on-screen notification, either from the anti-virus software or the malware itself
  • Person or tool reporting computer performance issues (slowness, programs unresponsive, high CPU utilization or network traffic)

Validate

  • Response team will eliminate “false positive” notifications and determine scope:
    • Impact to the confidentiality, integrity or availability of data and services
    • Number of people affected
    • Determining if the attack was targeted versus random
    • Communicate to organization leadership within 30 minutes

Damage Control

  • Isolation of affected devices and data
  • Updating defenses to prevent further spread or similar attacks (update firewall/spam rules, white/blacklists, change passwords, patching, etc.)
  • Elimination of malicious software (removal of software, reimage device, replace/upgrade device, etc.)

Recovery

  • Identify compromised assets (data, credentials, etc)
  • Communicate the incident to the appropriate teams
  • Determine if the incident warrants involvement of insurance, legal and/or law enforcement notifications and involvement
    • Refer to the response team contact list for necessary resources (technical, advisory, procedural, legal, etc)
  • Preserving archived data for investigation and restoration of compromised data from backup sources

Refinement

  • Lessons learned: Who opened the emailed link or attachment and why
  • Future prevention: Staff training, new tools/tech

The purpose of having a security incident response plan in place is so your organization can quickly shutdown cyberattacks and minimize damage done; however, your entire plan is reliant on the first step, detect. If your staff isn’t educated on the signs of a malware attack then they won’t be able to notify the response team. If you’re unsure on how to go about training and educating your people on how to recognize signs of a malware attack then check out our blog IT Security Awareness Training: Empowering Your Staff to Defend Your Business.