0A9F E785 1857 50AD 05CA A188 A708 1DB6 7F35 2F2A
Malware Bot Playbook
The Malware Bot Playbook defines the standardized process for detecting, analyzing, containing, eradicating, and recovering from malware infections associated with botnets or bot-controlled systems.
Introduction
Overview
In the event of a cybersecurity incident, it is important that any organisation can respond, mobilise, and execute an appropriate level of response to limit the impact of a cybersecurity attack or breach. Although all cybersecurity incidents are different in their nature and technologies used, it is possible to group common cybersecurity incident types and methodologies together. This is to provide an appropriate and timely response depending on the cybersecurity incident type. Incident specific playbooks provide incident managers and stakeholders with a consistent approach to follow when remediating a cybersecurity incident.
A cybersecurity incident response playbook is a set of pre-defined steps and procedures that outline how to respond to a specific type of cybersecurity incident. For each playbook, the steps and procedures are structured according to the National Institute of Standards and Technology (NIST) Incident Response Lifecycle1. The plan outlined in this playbook is developed to assist the constituents of the South African National Research and Education Network (SA NREN) to respond to Malware Bot attacks. Malware, which is short for malicious software, refers to intrusive software with the objective to inevitably cause harm to computer systems, networks, or servers. Other objectives of malware include stealing personal information, hijacking hardware and software resources, and the sabotage of legitimate services. This playbook focuses on dealing with Malware Bots within an constituent’s network. A Malware Bot or Malware Spam Bot is a form of malware whose purpose is to hijack a computer system’s resources with the goal of sending spam messages to other Internet users.
Purpose
The purpose of the SANReN CSIRT Malware Bot Playbook is to provide guidance regarding the appropriate and timely response to a Malware Bot cybersecurity incident or attack.
Scope
This document has been designed for the sole use by the constituents of the SA NREN.
Review Cycle
This document is to be reviewed for continued relevancy by the SANReN CSIRT team at least once every 12 months; following any major cybersecurity incidents or as access to new information becomes available.
Preparation
Outlining the recommended steps required to prepare the constituent to respond to a Malware Bot attack in a timely and effective manner.
| Activity | Description | Action(s) |
| Maintain documentation | Implement, maintain, and review cybersecurity incident procedures. Maintain and regularly update technical documentation. Establish policies and procedures. Define the roles and responsibilities. | Create and maintain a Cyber Incident Response Plan. Identify and maintain reporting structures. Maintain and update required contact details for reporting and escalation. Document network topology. |
| Identify assets | Maintain an understanding of the constituent’s environment Keep a list of all company-owned domains. Maintain a list of all company-owned assets. | Maintain an asset inventory and list of end-use devices. Identify which assets within the constituency are susceptible to malware bot attacks. |
| Review available information | Review cybersecurity incidents and the outputs. Review threats to the constituency, risks & vulnerabilities. Look at the latest and trending malware bots that have been made public and how they work. | View SANReN CSIRT weekly articles, alerts, and advisories. |
| Maintain tools and technologies | Deployment of appropriate tools and technologies to detect and prevent malware bot attacks. Deployment of appropriate tools to assist with eradication and recovery. | Deploy anti-malware and anti-virus tools. Deploy extended detection and response (XDR) and/or endpoint detection and response (EDR). |
| Training | Educate employees regarding malware attacks through awareness campaigns and training. | Internal and external training sessions. Training incident handlers to have a good understanding of different types of malware and how to deal with each different type of malware. Incident handlers should be trained to use the constituent’s malware analysis tools so they can be prepared to stop and prevent malware attacks. Send incident handlers for regular training to keep skills sharp and up-to-date. |
Detection and Analysis
Providing the recommended steps to follow to enable the detection of malware bot attacks and conduct the investigation of the collected data to determine the scope and impact of the attack.
Escalate findings to the SANReN CSIRT team for further analysis and report identified Indicators of Compromise (IoC) with the CSIRT.
Detect
| Activity | Description | Action(s) |
| Identification of the malware attack | Internal notifications, such as As reported by deployed detection tools (e.g. alerts received from anti-virus, EDR, IDS/IPS). As reported by employees (e.g., performance issues, pop-ups). External notifications, such as As reported by external parties of suspicious or fraudulent activity related to emails. As reported by the SANReN CSIRT or TENET. | Identify infected hosts/devices using reported information. Report and escalate according to existing Cyber Incident Response Plan or established policies and procedures. Inform the SANReN CSIRT team to alert the SA NREN constituency. Inform the legal department (if the attack has potential legal ramifications). |
| Perform data collection | Collect initial incident data to confirm malware attack and identify indicators of compromise (IoC). | Collect a RAM dump of the infected host/device. Note the active background services of the infected machine. Note all open ports on the infected target. Collect samples of the malware from the infected host(s)/device(s) and, if applicable, of files affected by the malware. Calculate file hashes (MD5/SHA256) of suspicious binaries. Collect reports of deployed security tools/technologies: Anti-virus & endpoint detection and response (EDR) reports. Security information and event management (SIEM) reports. Error logs from mail servers. Firewall and Router Logs. Collect affected host/device logs. |
Analyse
| Activity | Description | Action(s) |
| Analyse the infected host(s) | Analyse the collected information from the infected host(s) to determine IoCs. | Establish an isolated but controlled environment for analysis, e.g., Joe Sandbox. Perform analysis to determine how the target machine was infected - note as IoC. Observe any attempts at network connectivity Observe any files created or modified by the malware. Note where the malware was located on the infected host/device. Preserve a copy of the malware file(s) in a password-protected zip file. Submit malware sample for further analysis: VirusTotal Submit identified URLs for further analysis using the isolated environment: VirusTotal Urlscan.io Contact the SANReN CSIRT team if further assistance is required. |
| Analyse reports from deployed security tools/technologies | Conduct the analysis of the collected logs and sample files to determine malware activity, attack start time, and any useful information related to the attack. | Analyse: Firewall log files (if available) Network device logs (if available) SIEM reports IPS/IDS reports Contact the SANReN CSIRT team if further assistance is required. |
| Determine scope and impact | Determine the impact of the malware infection on confidentiality, integrity, and availability. Determine the number of impacted users by the malware infection. | To determine the scope and impact of the malware infection: Investigate outgoing traffic - some malware connected to a central (C2) server. Investigate internal traffic for lateral movement. Investigate available IDS/IPS/SIEM logs for suspicious activity on hosts in the network. |
| Categorise the type of malware attack | Identify the type of malware and modus operandi. Virus, Worm, Trojan, Ransomware, Rootkit, RAT, etc. | Perform the basic analysis of the collected information to categorise the type of malware attack. Contact the SANReN CSIRT team and request assistance in identifying the malware type. |
| Determine the severity | Review malware type, scope, and impact, to determine severity. | Consider the following Whether personal data (or other sensitive data) is at risk. Number of affected host(s). Preliminary business impact. Whether services are affected. |
| Reporting | Continuous reporting as the investigation progresses to ensure all relevant parties are up to date. | Establish an appropriate communication method (e.g., email or website – internal or external) Notify users in the organisation, and request that they report suspicious activity on their systems. Inform the SANReN CSIRT and TENET of the discovered findings. Notify internal stakeholders (e.g., legal department), if required. |
Containment, Eradication and Recovery
Outlining the necessary steps to isolate the malware bot attack and subsequent threats, eliminate and remove the effects of the malware bot attack, and recover to resume normal operations.
Containment
| Activity | Description | Action(s) |
| Isolate affected host(s) | Identify and quarantine affected host(s) once malware infection has been confirmed. | Isolate the infected host by disconnecting it from the network to prevent the malware from spreading to other devices on the network. Remove the host from the network. Isolate the host from the production network. Create an image of the compromised host for forensic purposes, if required. |
| Contain affected accounts | Identify compromised accounts or at-risk credentials. | Disable affected accounts or services. Reduce access to critical systems or data until the investigation has been completed. This goes for all hosts, not just the infected target. Malware can potentially spread to critical infrastructure from infected hosts that have not yet been identified. |
| Block malicious activity | Block activity based on identified IoCs. | Block malicious domains and IP addresses based on discovered IoCs during analysis. Update Anti-Virus signatures. Update firewall rules and proxies. New rules can be determined by looking at the modus operandi of the malware. Block the attack vector that was used to gain the initial foothold. This can be enabled once it has been hardened. |
Eradication
| Activity | Description | Action(s) |
| Removal of the malware | Identify and remove malware artifacts. | Depending on the malware type, the following malware artifacts must be removed if present: Registry entries Scheduled tasks Malicious files Remove malware components using: AV/EDR tools Manual removal or scripts Alternatively, if the malware artifacts can’t be located, re-image infected hosts. This should be done if any of the following was found to have occurred: One or more attackers gained administrator-level access to the host. Unauthorised administrator-level access to the host was available to anyone through a backdoor, an unprotected share created by a worm, or other means. System files were replaced by a Trojan horse, backdoor, rootkit, attacker tools, or other means. The host is unstable or does not function properly after the malware has been eradicated by anti-virus software or other programs or techniques. This indicates that either the malware has not been eradicated completely or that it has caused damage to important system or application files or settings. There is doubt about the nature and extent of the infection or any unauthorised access gained because of the infection. Note that a malware bot may be an indicator that other malware is also present on an infected host. |
Recovery
| Activity | Description | Action(s) |
| Return systems and endpoints | Recover systems based on business impact analysis and business criticality. | Perform restoration of affected systems from a trusted backup. Re-install any standalone system from a clean OS backup before updating with a trusted data backup. Gradually re-integrate previously compromised host(s) while monitoring closely. Restore suspended services. |
| Update defenses | Prevent future infection of the malware. | Implement necessary patches. Update anti-virus and anti-malware solutions. Update detection rules (YARA and Anti-virus signatures). Fine-tune EDR and SIEM alerts. Conduct a vulnerability scan of all systems. Establish and improve monitoring for suspicious behaviour. Reset passwords for impacted accounts. Improve the security of user accounts, if required. |
Post Incident Activity
Recommended steps to conduct after the malware bot infection has been investigated and resolved to ensure lessons are learned and improvements are put into place.
| Activity | Description | Action(s) |
| Post incident review | A structured process to analyse an incident, understand its causes, and identify areas for improvement to prevent recurrence. | Questions to be discussed: What was the initial vector? How long was the dwell time? Were incident response steps effective? |
| Lessons learned | Process the incident, review strategies and revisit preparations for potential future incidents. | Hold a “lessons learned” meeting. Questions to be discussed: How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? Update the malware bot playbook based on lessons learned. |
| Incident reporting | Draft the post-incident report. | Share with the SANReN CSIRT team and TENET. |
| User awareness training | Educate employees about potential risks and threats, equipping them with the knowledge and skills to recognize malware bots. | Internal communication (e-mail) or announcement on a website. Conduct training for employees on precautions to be taken. Training should be based on the attack vector used to get a foothold in order to spread the malware bot. This information should be determined in the analysis phase. Provide additional user training if phishing or social engineering were involved. |
Checklist
| Action | Completed | |
| Detection and Analysis | Detection and Analysis | Detection and Analysis |
| 1. | Determine whether an incident has occurred – An alert was received that the local network is hosting a malware bot. | |
| 2. | Identify the type of malware present. | |
| 3. | Perform data collection as per section 3.1. | |
| 4. | Report the incident to the appropriate internal personnel and external organisations – SANReN CSIRT and TENET. | |
| 5. | Analyse the collected information to determine malware name, modus operandi and establish a timeline. | |
| Containment, Eradication and Recovery | Containment, Eradication and Recovery | Containment, Eradication and Recovery |
| 6. | Contain the malware. | |
| 7. | Eradicate the malware bot. | |
| 8. | Recover from the incident– return to normal operations and update defences. | |
| Post-Incident Activity | Post-Incident Activity | Post-Incident Activity |
| 9. | Conduct a “Lessons Learned” meeting | |
| 10. | Create a post incident report – share with the relevant parties. |
Contact Us: |
CSIRT: |
|
Heloise: |
|
Kgwadi: |
|
Zoya: |
|
Anele: |
