You are on page 1of 2


1 Identification
2 Containment
Define actors, for each entity, who will be Detect the infection The following actions should be performed and
involved into the crisis cell. These actors monitored by the crisis management cell:
Information coming from several sources should be
should be documented in a contact list kept gathered and analyzed:
permanently up to date. 1. Disconnect the infected area from the Internet.
Antivirus logs,

Make sure that analysis tools are up,

Intrusion Detection Systems, 2. Isolate the infected area. Disconnect it from
any network.
functional (Antivirus, IDS, logs analysers), not Suspicious connection attempts on servers,
compromised, and up to date. High amount of accounts locked, 3. If business-critical traffic cannot be
Suspicious network traffic, disconnected, allow it after ensuring that it
Make sure to have architecture map of your
Suspicious connection attempts in firewalls,
cannot be an infection vector or find validated
networks. circumventions techniques.
High increase of support calls,
Make sure that an up to date inventory of the High load or system freeze, 4. Neutralize the propagation vectors. A
assets is available. High volumes of e-mail sent
propagation vector can be anything from
network traffic to software flaw. Relevant
countermeasures have to be applied (patch,
Perform a continuous security watch and If one or several of these symptoms have been
traffic blocking, disable devices, etc.)
inform the people in charge of security about spotted, the actors defined in the preparation step
For example, the following techniques can be
the threat trends. will get in touch and if necessary, create a crisis
- Patch deployment tools (WSUS),
Make sure that a Business Continuity Process
Identify the infection - Windows GPO,
has been defined and regularly tested for the - Firewall rules,
business-critical services. Analyze the symptoms to identify the worm, its - Operational procedures.
propagation vectors and countermeasures.
5. Repeat steps 2 to 4 on each sub-area of the
Leads can be found from : infected area until the worm stops spreading. If
CERTs bulletins; possible, monitor the infection using analysis
tools (antivirus console, server logs, support
External support contacts (antivirus calls).
companies, etc.) ;
Security websites (Secunia, SecurityFocus The spreading of the worm must be monitored.

Notify Chief Information Security Officer. Mobile devices

Contact your CERT if required.
Make sure that no laptop, PDA or mobile storage
Assess the perimeter of the infection can be used as a propagation vector by the worm.
If possible, block all their connections.
Define the boundaries of the infection (i.e.: global
infection, bounded to a subsidiary, etc.). Ask end-users to follow directives precisely.
If possible, identify the business impact of the
infection. At the end of this step, the infection should be
4 Recovery
5 Incident Response Methodology
Verify all previous steps have been done correctly
and get a management approval before following
Identify tools and remediation methods. next steps.
The following resources should be considered:
- Vendor fixes (Microsoft, Oracle, etc.) 1. Reopen the network traffic that was used as a IRM #1
- Antivirus signature database propagation method by the worm.
- External support contacts Worm Infection Response
Guidelines to handle information system Worm infections
- Security websites 2. Reconnect sub-areas together ___________________________________________________
IRM Author: CERT SG / Vincent Ferran-Lacome
Define a disinfection process. The process has to 3. Reconnect the mobile laptops to the area IRM version: 1.3
be validated by an external structure, like your
CERT for example. 4. Reconnect the area to your local network Web:
Twitter: @CertSG
5. Reconnect the area to the Internet
All of these steps shall be made in a step-by-step
Test the disinfection process and make sure that it
manner and a technical monitoring shall be Abstract
properly works without damaging any service. enforced by the crisis team.
This Incident Response Methodology is a cheat sheet dedicated
to incident handlers investigating a precise security issue.
Who should use IRM sheets?
Deploy Administrators

Deploy the disinfection tools. Several options can


Security Operation Center
CISOs and deputies
be used: Report CERTs (Computer Emergency Response Team)
- Windows WSUS A crisis report should be written and made Remember: If you face an incident, follow IRM, take notes
- GPO available to all of the actors of the crisis and do not panic. Contact your CERT immediately if
- Antivirus signature deployment management cell. needed.
- Manual disinfection
The following themes should be described: Incident handling steps
Warning: some worms can block some of the - Initial cause of the infection
remediation deployment methods. If so, a - Actions and timelines of every important
6 steps are defined to handle security Incidents
workaround has to be found. event Preparation: get ready to handle the incident
- What went right Identification: detect the incident
Remediation progress should be monitored by the - What went wrong Containment: limit the impact of the incident
crisis cell. Remediation: remove the threat
- Incident cost Recovery: recover to a normal stage
Aftermath: draw up and improve the process
Actions to improve the worm infection management IRM provides detailed information for each step.
processes should be defined to capitalize on this
This document is for public use