- The National Institute of Standards and Technology (NIST) recently updated its cross-industry “Guide to Malware Incident Prevention and Handling for Desktops and Laptops” with revisions to its recommendations in avoiding malware threats for enterprise and industries such as healthcare.
HealthITSecurity.com covered the first part of NIST’s recommendations yesterday and we’re following those up with NIST advice on how organizations should have a robust incident response process capability in place that addresses malware incident handling.
In NIST SP 800-61, NIST’s Computer Security Incident Handling Guide, the incident response process has four main phases: preparation, detection and analysis, containment/eradication/recovery, and post-incident activity. These were some major recommendations for malware incident handling, by phase or sub-phase:
Preparation: Organizations should perform preparatory measures to ensure that they can respond effectively to malware incidents. Recommended actions include—
– Building and maintaining malware-related skills within the incident response team
– Facilitating communication and coordination throughout the organization
– Acquiring the necessary tools (hardware and software) and resources to assist in malware incident handling
Detection and Analysis: Organizations should strive to detect and validate malware incidents rapidly to minimize the number of infected hosts and the amount of damage the organization sustains. Recommended actions include:
– Analyzing any suspected malware incident and validating that malware is the cause. This includes identifying characteristics of the malware activity by examining detection sources, such as antivirus software, intrusion prevention systems, and security information and event management (SIEM) technologies.
– Identifying which hosts are infected by the malware, so that the hosts can undergo the appropriate containment, eradication, and recovery actions. Identifying infected hosts is often complicated by the dynamic nature of malware and computing. Organizations should carefully consider host identification issues before a large-scale malware incident occurs so that they are prepared to use multiple strategies for identifying infected hosts as part of their containment efforts. Organizations should select a sufficiently broad range of identification approaches and should develop procedures and technical capabilities to perform each selected approach effectively when a major malware incident occurs.
– Prioritizing the handling of each incident based on NIST SP 800-61 guidelines and additional malware-specific criteria
– Studying the behavior of malware by analyzing it either actively (executing the malware) or forensically (examining an infected host for evidence of malware)
Containment: Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Nearly every malware incident requires containment actions. In addressing an incident, it is important for an organization to decide which methods of containment to employ initially, early in the response. Organizations should have strategies and procedures in place for making containment-related decisions that reflect the level of risk acceptable to the organization. Containment strategies should support incident handlers in selecting the appropriate combination of containment methods based on the characteristics of a particular situation. Specific containment-related recommendations include the following:
– It can be helpful to provide users with instructions on how to identify infections and what measures to take if a host is infected; however, organizations should not rely primarily on users for containing malware incidents.
– If malware cannot be identified and contained by updated antivirus software, organizations should be prepared to use other security tools to contain it. Organizations should also be prepared to submit copies of unknown malware to their security software vendors for analysis, as well as contacting trusted parties such as incident response organizations and antivirus vendors when guidance is needed on handling new threats.
– Organizations should be prepared to shut down or block services used by malware to contain an incident and should understand the consequences of doing so. Organizations should also be prepared to respond to problems caused by other organizations disabling their own services in response to a malware incident.
– Organizations should be prepared to place additional temporary restrictions on network connectivity to contain a malware incident, such as suspending Internet access or physically disconnecting hosts from networks, recognizing the impact that the restrictions might have on organizational functions.
Eradication: The primary goal of eradication is to remove malware from infected hosts. Because of the potential need for extensive eradication efforts, organizations should be prepared to use various combinations of eradication techniques simultaneously for different situations. Organizations should also consider performing awareness activities that set expectations for eradication and recovery efforts; these activities can be helpful in reducing the stress that major malware incidents can cause.
Recovery: The two main aspects of recovery from malware incidents are restoring the functionality and data of infected hosts and removing temporary containment measures. Organizations should carefully consider possible worst-case scenarios and determine how recovery should be performed, including rebuilding compromised hosts from scratch or known good backups. Determining when to remove temporary containment measures, such as suspension of services or connectivity, is often a difficult decision during major malware incidents. Incident response teams should strive to keep containment measures in place until the estimated number of infected hosts and hosts vulnerable to infection is sufficiently low that subsequent incidents should be of little consequence. However, even though the incident response team should assess the risks of restoring services or connectivity, management ultimately should be responsible for determining what should be done based on the incident response team’s recommendations and management’s understanding of the business impact of maintaining the containment measures.
Post-Incident Activity: Because the handling of malware incidents can be extremely expensive, it is particularly important for organizations to conduct a robust assessment of lessons learned after major malware incidents to prevent similar incidents from occurring. Capturing the lessons learned from the handling of such incidents should help an organization improve its incident handling capability and malware defenses, including identifying needed changes to security policy, software configurations, and malware detection and prevention software deployments.