Malware Incident Response Playbook
Lumu Malware Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four main phases, as described in the following illustration.
Based on the source: NIST special publication 800-61
This document contains guidelines for malware incident response using Lumu. Consider this playbook as a guideline to improve the effectiveness of the incident response and adapt it according to your specific requirements.
NIST defines Malware as a computer program that is covertly placed onto a computer or electronic device with the intent to compromise the confidentiality, integrity, or availability of data, applications, or operating systems. Common types of malware include viruses, worms, malicious mobile code, Trojans, rootkits, spyware, and some forms of adware.
This is the initial phase where organizations take defensive measures to respond effectively to incidents.
How Lumu Helps
Lumu provides the ability to illuminate the blind spots in your network by providing coverage of your entire infrastructure, namely on-premises, public and private clouds, and roaming devices.
Lumu metadata collection
- Set up collectors such as Virtual Appliances, Gateways, and API to ensure that all your network metadata is ingested in the Lumu platform. Learn more in our deployment guide.
- Set up Spambox analysis to understand who adversaries are attempting to compromise in your organization and how they are being targeted.
- Ensure you cover remote users in your compromise assessment. Learn more about Lumu Agent and VPN and SDP configuration.
- Identify your vital assets (clients, IoT, clouds, remote devices, etc.) and assign labels to your traffic to help quickly identify the compromise distribution across your infrastructure in a way that makes sense for your organization.
- Conduct regular awareness campaigns on security policies and risks employees face, and what actions to take when faced with a cyberattack.
- Keep your endpoint protection and operating systems updated.
- We recommend that network gateways, endpoints, and server systems have an anti-malware solution deployed.
- Encourage users to store data on shared drives that are backed up and not on local device drives.
- As a good practice, remove endpoints’ local admin rights.
Detection & Analysis
Organizations should work to detect and validate incidents as quickly as they can. Without proper analysis, you may not get appropriate containment or eradication. Early detection helps organizations control the number of infected systems and makes the next phase easier.
How Lumu Helps
Lumu unlocks the value of your own network metadata by implementing the concept of Continuous Compromise Assessment that provides comprehensive and detailed visibility into your network infrastructure. Lumu illuminates the various activities associated with indicators of compromise (IoCs) detected on your network and provides all the contextual information needed for in-depth analysis through the Lumu Portal.
- Identify attack patterns. Look for details, such as date, time, number of contacts, and domains. You have that information at a glance in the Activity section of the Lumu Portal.
- Check for endpoint protection technology programs malfunctioning or becoming disabled for unknown reasons.
- Use the IoC information provided by Lumu to check if the log files of your defensive infrastructure (e.g. endpoint protection, firewall, UTM gateway) contain this malicious communication.
- Analyze proxy server events to determine if malicious software was downloaded.
- Identify the endpoints contacting the adversarial infrastructure, and then match these with affected users. Use the Attack Distribution feature of the Lumu Portal to see how the compromise spread inside your network.
- Identify how your assets are communicating with the adversarial infrastructure. You can use the Lumu’s Compromise Radar feature to find out the frequency and behavior of malicious communication, so you can differentiate occasional contact from persistent and automated compromises that have the power to cause harm to the organization.
- Inspect and analyze the source code of the web page or the software that tried to interact with the malicious server to determine which information the attacker may have obtained from users.
- If possible, reverse-engineer the malware in a secure environment (or sandbox) to understand its behavior, and the functionality it implements.
If a C&C URL was detected, this means that the attack has reached the command and control stage and may be active. In such a case, you might consider immediately cutting off the device from the internet.
Containment, Eradication & Recovery
This phase has two key goals: stop the spread of the threat and prevent more damage inside the network. Organizations should have strategies and procedures according to the level of risk of the detected compromise.
With Lumu Paid subscriptions you have visibility into the detailed malicious activity of each private IP address in your network in real time. To know more about illumination options, consult
How Lumu Helps
Confirmed compromise intelligence about the compromised device helps security analysts to understand where and how to contain and eradicate the compromise.
- Download the IoCs and threat trigger details from Lumu Portal and configure your security infrastructure (e.g. firewalls, email gateways, etc) to block the malicious URLs, email senders, or IPs.
- If the threat was delivered as an email attachment, check for details in the log files of the organization's mail server.
- Reduce any further malicious activity by quarantining affected assets or removing them from the network.
- Reset the credentials of all involved systems.
- Identify compromised or at-risk user credentials and request password changes if needed.
- Remove threats, replace or restore the compromised assets to their previous state. Wipe and baseline affected systems if needed.
- Establish monitoring to detect further suspicious activity. The incident and its effects need to be remediated across the entire network.
- Complete malware scanning of all systems across the affected network.
- Perform an automated or manual removal process to eradicate malware or compromised executables using appropriate tools.
This phase is designed to incorporate the lessons learned from each incident and to evaluate future improvements.
How Lumu Helps
Lumu helps refine the current and future defense and response by continuously monitoring that the compromise has been eradicated.
- Use Lumu to detect continuously any communication between your assets and the adversary to make sure that no additional contacts are reported.
- Conduct root cause analysis and evaluate the habits of the users. Use the context information in the Lumu Portal for details on how the adversary works, which users are falling for spam or phishing messages, and if they are visiting dangerous websites.
- Explore the related sources and articles provided by Lumu in the Context area to understand more about the detected malicious activities.
- Adjust your security policies. This may involve changing the configuration of the company's assets and conducting awareness campaigns, focusing on the users that own those devices.
- Coordinate with your endpoint protection technology vendor’s updates if needed.
- Document and share with the stakeholders all the lessons learned from the incident and recommendations of any aspect that could be improved to help prevent a similar cyber incident from reoccurring.
General Incident Response Playbook
Lumu’s Incident Response Playbooks are based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST) and provide essential recommendations for responding to information security incidents. ...
Mining Incident Response Playbook
Lumu Mining Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four ...
Phishing Incident Response Playbook
Lumu Phishing Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four ...
Spam Incident Response Playbook
Lumu SPAM Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four main ...
Network Scan Incident Response Playbook
The Lumu Network Scan Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle ...