Professional Documents
Culture Documents
COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
-1-
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
What is an incident response playbook? According to NIST Special Publication 800-61, an incident response process contains four main phases: preparation,
detection and analysis, containment/eradication/reocvery, and post-incident activity. Descriptions for each are included below:
Malware Outbreak
You’ve selected the “Malware Outbreak” playbook. On the pages that follow, you will find your incident
response playbook details broken down by the NIST incident handling categories.
-2-
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
P R E PA R E - M A LWA R E O U T B R E A K
Determine
Core Ops Team Vulnerability Threat Risk
Manager Manager Manager
& Define Roles
Determine Response
Extended Team Executive Professional Support (Legal,
Lead Services Lead PR, etc.)
& Define Roles
Define
Escalation Path
Escalation Escalation
Document Internal Path External Path Document
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
DETECT - MALWARE OUTBREAK
Prev
Step
Unknown or unexpected
services and Unknown or unexpected
applications configured Unknown or unexpected network traffic from
to launch automatically outgoing Internet traffic store and headquarter
on system boot locations
Anti-virus programs
malfunctioning or Degraded processing
becoming disabled for capability (increased Standard Define Custom Custom Indicators
CPU utilization) Threat Indicators
unknown reasons
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
A N A LY Z E - M A LWA R E O U T B R E A K
Prev
Step
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
C O N TA I N - M A LWA R E O U T B R E A K
Prev
Step
Identify the IT
services being impacted
Identify the
vulnerabiity being Vulnerability System
Select Database Query Database Generate Report
exploited Logs Logs
Identify how
widespread the View Report View Record Details Select Records Copy Record Details
attack has spread
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
E R A D I C AT E - M A LWA R E O U T B R E A K
Prev
Step
In-Person Intranet
Meeting Meeting
Communications
Mobile Internet
Messaging Meeting
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
RECOVER - MALWARE OUTBREAK
Prev
Step
Cloud
Recover Data Data Restore
Synchronization
Coordinate AV
Incident Wipe & Baseline
Scan host with Scan File Share Remove
Vulnerabilities &
updates to be
updated with updated pushed upon
Remediation System
Signature Signature Update Routers release from AV
Vendor
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
POST-INCIDENT - MALWARE OUTBREAK
Prev
Step
Sensitive
Electronic Personal
Incident Review Health Information
(ePHI) Compromised?
Government
Information
Compromised?
Response Workflow
Updated
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
Effective Remediation
Organization and automation are key benefits that result in effective remediation. Automated playbooks help to Risk Management Benefits
organize security processes, mitigation plans and smooth communication between multiple departments. By • Communicate effectively to ensure risk
optimizing data collection, analysis, and communications you improve the odds for effective eradication, recovery mitigation methods are applied
with integrity and forensic-quality reporting. • Prioritize resources and activities where
they matter most
• Report and tune based on response
Action Plan learning, reducing risk moving forward
Having a view into what is possible is the first step in taking action. The next step is to bring your team together to
drive it toward reality. Email this guide to your peers and managers to begin sharing your playbook with them. Useful Links:
NIST Risk Management Framework Guide
With this playbook, you will be better prepared to handle the response. To help with the management and automation
Sample Policies and Plans
of this incident response playbook, consider working with CyberSponse and their partners. Come take a look at what
they do.
- 10 -
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com