The detection of a malware infection would be identified mainly from three sources in an organization. They are Users, IT staff and the security tools such as antivirus/anti-spyware installed in the systems. The indications would vary based on the type of malware. While the security tools would provide specific details on their identification, the users would observe abnormal host and network activities. As soon as the detection happens, it should be reported to the responsible party within the organization (Preferably the information security team). Based on the report, the information security team should validate the report and should categorize the malware to identify the level of priority. This is based on the:
Containment is a must in most of the malware infection scenarios and it should be done as soon as the proper detection of the malware was performed. Different containment mechanisms could be deployed based on the malware category and the level of risk acceptable for the organization. The containment mechanism should be decided by the designated authoritative person whom has been appointed by the organization policy. The following containment mechanisms could be deployed;
The primary goal of eradication is to remove malware from infected systems. Sometime this includes elimination or mitigation of system security vulnerabilities and other security weaknesses, which should prevent the system from becoming reinfected or becoming infected by another instance of malware or a variant of the original threat.
Instead of performing typical eradication actions, organizations should strongly consider rebuilding any system that has any of the following incident characteristics:
The two main aspects of recovery from malware incidents are restoring the functionality and data of infected systems and removing temporary containment measures. Organizations should carefully consider possible worst-case scenarios, such as a new malware threat that wipes out the hard drives of a large percentage of the organizations workstations, and determine how the systems would be recovered in these cases.
Because malware incidents can be extremely expensive to handle, it is particularly important for organizations to conduct robust lessons learned activities for major malware incidents. Capturing the lessons following the handling of a malware incident should help an organization improve its incident handling capability and malware defenses, including needed changes to security policy, software configurations, and malware detection and prevention software deployments.
As proactive measures against malware infections organizations may: