0A9F E785 1857 50AD 05CA A188 A708 1DB6 7F35 2F2A
Spyware Playbook
The Spyware Playbook defines the standardized approach for detecting, analyzing, containing, eradicating, and recovering from spyware infections.
Introduction
Overview
In the event of a cybersecurity incident, it is important that any organisation can respond, mobilise, and execute an appropriate level of response to limit the impact of a cybersecurity attack or breach. Although all cybersecurity incidents are different in their nature and technologies used, it is possible to group common cybersecurity incident types and methodologies together. This is to provide an appropriate and timely response depending on the cybersecurity incident type. Incident specific playbooks provide incident managers and stakeholders with a consistent approach to follow when remediating a cybersecurity incident.
A cybersecurity incident response playbook is a set of predefined steps and procedures that outline how to respond to a specific type of cybersecurity incident. For each playbook, the steps and procedures are structured according to the National Institute of Standards and Technology (NIST) Incident Response Lifecycle. The plan outlined in this playbook is developed to assist the constituents of the South African National Research and Education Network (SA NREN) in responding to Spyware attacks. A spyware attack is a cyber threat where malicious software is secretly installed on a device to monitor user activity, collect sensitive information including personally identifiable information (PII), and transmit it to unauthorised parties without the user’s knowledge or consent.
Purpose
The purpose of the SANReN CSIRT Spyware Playbook is to provide guidance regarding the appropriate and timely response to a Spyware cybersecurity incident or attack.
Scope
This document has been designed for the sole use by the constituents of the SA NREN.
Review Cycle
This document is to be reviewed for continued relevancy by the SANReN CSIRT team at least once every 12 months; following any major cybersecurity incidents or as access to new information becomes available.
Preparation
Outlining the recommended steps required to prepare the constituent to respond to a spyware attack in a timely and effective manner.
| Activity | Description | Action(s) |
| Maintain documentation | Implement, maintain, and review cybersecurity incident procedures. Maintain and regularly update technical documentation. Establish policies and procedures. Define the roles and responsibilities. | Create a Cyber Incident Response Plan covering spyware threats. Document network topology. Develop password and e-mail security policies. Establish a procedure to report Spyware and related attacks. |
| Identify assets | Maintain an understanding of the constituent’s environment: Keep a list of all company-owned domains. Maintain a list of all company-owned assets. | Maintain an asset inventory and list of end-use devices. |
| Review available information | Review cybersecurity incidents and the outputs. Review threats to the constituency, risks & vulnerabilities. Analyse common spyware. | View SANReN CSIRT weekly articles, alerts, and advisories. |
| Implement preventive security measures - Maintain tools and technologies | Deployment of appropriate tools and technologies to detect spyware. | Deploy anti-spyware, anti-malware, and/or anti-spam solutions. Enforce least privilege access and application whitelisting. Perform regular updates and patch management. |
| Training | Educate employees regarding spyware through awareness campaigns and training. | Internal and external training sessions. Conduct security awareness training on phishing and suspicious software. |
Detection and Analysis
Providing the recommended steps to follow to enable the detection of spyware and related attacks and conduct the investigation of the collected data to determine the scope and impact of the spyware attack.
Escalate findings to the SANReN CSIRT team for further analysis and report identified Indicators of Compromise (IoC) with the CSIRT.
Detect
| Activity | Description | Action(s) |
| Monitor network traffic | Spyware often communicates with external servers, causing spikes in outbound traffic. | Report and escalate according to existing Cyber Incident Response Plan or established policies and procedures. Analyse network logs for unusual outbound traffic using appropriate tools (e.g., connections to unknown IPs or domains). Block suspicious IP addresses and domains. Inform the SANReN CSIRT team to alert other constituents. Inform the legal department (if an attack has potential legal ramifications). |
| Check for unauthorised processes | Spyware may run hidden or run as unknown processes in the background. | Use task managers to identify and terminate unknown processes. Check for performance degradation (e.g., high CPU/memory usage). |
| Inspect system logs | Spyware activities may leave traces in system and application logs. | Review system logs for unusual activities and unauthorised access attempts, such as login attempts from foreign locations. |
| Monitor file system changes | Spyware may create or modify files covertly. | Use integrity monitoring tools to detect unauthorised file changes. |
| Document findings | Maintain a record of detected spyware incidents for future reference. | Document the timeline, IoCs, and mitigation actions taken. |
Analyse
| Activity | Description | Action(s) |
| Analyse the evidence | Gather all logs, memory dumps, and other evidence. | Use tools like dd for disk imaging and volatility for memory. |
| Identify IoCs | Look for signatures, hashes, and behavioural patterns associated with spyware. | Cross-reference IoCs with known spyware databases such as: MITRE ATT&CK VirusTotal MalwareBazaar Share identified IoCs with the CSIRT team to enhance detection capabilities. |
| Determine scope and impact | Determine the number of impacted users and devices by: Identifying users that have installed the spyware. The spreading of the spyware to other devices. | Internal communication – establish a reporting line. Review and correlate available log files: Firewall log files (if available) Network device logs (if available) |
| Determine the severity | Consider the following: whether personal data (or other sensitive data) is at risk. number of affected assets. preliminary business impact. whether services are affected. | Consult the internal security team, legal department, and/or the SANReN CSIRT team. |
| Reporting | Continuous reporting as the investigation progresses to ensure all relevant parties are up to date. | Establish appropriate communication methods (e.g., email or website – internal or external) Inform employees. |
Containment, Eradication and Recovery
Outlining the necessary steps to isolate the Phishing attack and subsequent threats, eliminate and remove the effects of the Phishing attack, and recover to resume normal operations.
Containment
| Activity | Description | Action(s) |
| Contain affected endpoints | Identify and isolate affected systems and endpoints. | Remove and/or isolate endpoints from the network to prevent lateral movement. Disconnect suspicious devices that may have been infected by spyware from the network. |
| Contain affected accounts | Identify compromised accounts or at-risk credentials. | Disable compromised accounts or reset credentials if necessary. Reduce access to critical systems or data until the investigation has been completed. |
| Block malicious activity | Block activity based on identified indicators of compromise. | Use encrypted communication channels such as VPNs, TLS, or PGP for sharing sensitive data. This will help verify the integrity of communication endpoints. Block malicious domains, IPs, or command-and-control (C2) servers. Update firewall rules and proxies. |
Eradication
| Activity | Description | Action(s) |
| Removal of the threat | Remove spyware through automated endpoint solutions or manual deletion. | Reformat and reinstall operating systems where necessary. Change or delete compromised accounts. Purge related applications or software from the infected devices. Perform registry cleanup and remove persistence mechanisms. Delete downloaded attachments, if applicable. |
Recovery
| Activity | Description | Action(s) |
| Return systems and endpoints | Recover systems based on business impact analysis and business criticality. Re-integrate previously compromised systems and endpoints. Restore suspended services. | Conduct a restoration of affected systems from a trusted backup. Re-install any standalone system from a clean OS backup before updating with a trusted data backup. |
| Update defences | Conduct a vulnerability scan of all systems. Establish and improve monitoring for suspicious behaviour. Improve the security of user accounts. | Implement necessary patches. Perform a full system anti-malware scan and integrity check. Update anti-virus and anti-malware solutions. Enforce multi-factor authentication (MFA). |
Post Incident Activity
Recommended steps to conduct after the Phishing attack has been investigated and resolved to ensure lessons are learned and improvements are put into place.
| Activity | Description | Action(s) |
| Lessons learned | Process the incident, review strategies and revisit preparations for potential future incidents. | Hold a “lessons learned” meeting. Questions to be discussed: How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? Identify gaps in security controls and update policies accordingly. Update the spyware playbook based on lessons learned. |
| Incident reporting | Draft the post-incident report. | Document the root cause, affected assets, and attacker TTPs (Tactics, Techniques, and Procedures). Share with the SANReN CSIRT team. |
| User awareness training | Educate employees: How to recognise a suspicious email. Safe download practices. Recognising spyware symptoms and patterns. Remote work security. Browser safety. Software update awareness. Password hygiene. | Internal communication (e-mail) or announcement on the constituent’s website. |
Checklist
| Action | Completed | |
| Detection and Analysis | Detection and Analysis | Detection and Analysis |
| 1. | Determine whether an incident has occurred – Spyware was detected on devices | |
| 2. | Identify the type of spyware present. | |
| 3. | Audit and remove unknown startup programs and scheduled tasks. | |
| 4. | Verify DNS, proxy settings and other relevant network configurations. | |
| 5. | Perform a comprehensive anti-malware/spyware and endpoint detection scan. | |
| 6. | Document Indicators of Compromise (IoCs) and report to the security management team. | |
| Containment, Eradication and Recovery | Containment, Eradication and Recovery | Containment, Eradication and Recovery |
| 7. | Isolate infected systems from the network – disable affected accounts, quarantine and isolate affected systems and endpoints – if malware is suspected. | |
| 8. | Immediately delete or disable spyware persistence mechanism | |
| 9. | Implement firewall rules to block malicious IPs and domains | |
| 10. | Uninstall malicious software and remove related files and registry entries. | |
| 11. | Perform deep system scans to verify complete removal of spyware. | |
| 12. | Conduct thorough inspection of system backups for traces of infection | |
| 13. | Restore system from clean, verified backups | |
| 14 | Conduct system integrity check | |
| Post-Incident Activity | Post-Incident Activity | Post-Incident Activity |
| 10. | Conduct a “Lessons Learned” meeting | |
| 11. | Create a post incident report – share with relevant parties. |
Contact Us: |
CSIRT: |
|
Heloise: |
|
Kgwadi: |
|
Zoya: |
|
Anele: |
