Malware attacks are among the most common security threats. Not only are malware incidents increasing rapidly, but attack methods are becoming more complicated. This raises the importance of being prepared with a plan for handling and analyzing malware incidents and keeping it up-to-date.
How Incident Hadling Done?
Step 1 – Identify an incident response team and outline responsibilities.
Prepare the team to respond to security events resulting in an incident. Of course, an effective defensein-depth security strategy should also be implemented and maintained to reduce the likelihood of a successful attack.
Step 2 – When an incident occurs, Incident Response Team members must be ready to defend
When an incident occurs, Incident Response Team members must quickly gather, analyze, and interpret events and log files from the intrusion detection systems firewalls, routers, switches, domain controllers and other networked systems. Interpretation and analysis are essential for this phase as they help to determine the level of impact of security for a given incident.
During this phase, the Incident Response Team will likely attempt to determine the intent of the attacker, which may further guide incident response efforts. Some questions that may be asked during this analysis include:
- Was the attack specific to the organization or was it opportunistic?
- Was the attack intended to penetrate directly into the organization or simply to gain lateral access to the real target by exploiting supplier-business-to-business relationships?
- Was the attack part of an initial attacker reconnaissance, and can the information be used to counter future attacks?
Step 3 – Containing a security incident mitigates losses.
After confinement, eradication may be necessary. This includes removing malware and disabling compromised accounts. During recovery, administrators restore the normal operation of systems and correct identified vulnerabilities to prevent such incidents from happening again, especially since successful attacks are often followed by similar techniques on similar targets.
Step 4 – The forensics team Learning about incidents
Then forensics team Learning about incidents and improving processes and defenses is essential, but often overlooked. A post-incident review identifies weaknesses and opportunities for improvement in the security architecture, as well as the capabilities of the incident response team.