As security administrators, we try to be as proactive as
patches and updates, conducting
penetration testing, and establishing
usage policies. Unfortunately, sometimes all the preventive care in the
world won’t protect your systems from the inevitable infection—be it virus,
worm, or some other form of malware.
I’ve written before about the importance of creating
an incident response policy, and I’ve told you specific
steps to take in response to a security incident. But security incidents
can vary widely in size and target. While it’s imperative to have an overall
policy in place, an actual incident response plan should depend on the actual
Case in point: The growing threat of malware infections. A
malware incident response plan is not one that should focus on an active attack;
instead, it needs to concentrate on the payload left behind on your systems.
What is malware?
Malware is malicious code or software secretly inserted into
a system to compromise the confidentiality, integrity, or availability of the
data or applications residing on the network. Malware incidents can cause
extensive damage and disruption to a network, and they require costly efforts
to restore system security and user confidence.
We can separate malware threats into five broad categories.
Here’s a quick overview:
- Viruses: Self-replicating code
inserts copies of the virus into host programs or data files. Viruses can
attack both operating systems and applications.
- Worms: A self-replicating,
self-contained program executes without user intervention. Worms create
copies of themselves, and they don’t require a host program to infect a
- Trojan horses: This self-contained,
non-replicating program appears to be benign, but it actually has a hidden
malicious purpose. Trojan horses often deliver other attacker tools to
- Malicious mobile code: This
software with malicious intent transmits from a remote system to a local
system. Attackers use it to transmit viruses, worms, and Trojan horses to a
user’s workstation. Malicious mobile code exploits vulnerabilities by
taking advantage of default privileges and unpatched systems.
- Tracking cookies: Accessed by many
Web sites, these persistent cookies allow a third party to create a
profile of a user’s behavior. Attackers often use tracking cookies in
conjunction with Web bugs.
These are the main categories of the malware threats
threatening your users and your network. What happens when they succeed? An
effective malware response plan includes these six steps:
- Preparation: Develop malware-specific
incident handling policies and procedures. Conduct malware-oriented
training and exercises to test your policies and procedures. Determine
whether your procedures work before you actually have to use them.
- Detection and analysis: Deploy and
monitor antivirus/anti-spyware software. Read malware advisories and
alerts produced by antivirus/ anti-spyware vendors. Create toolkits on
removable media that contain up-to-date tools for identifying malware,
examining running processes, and performing other analysis actions.
- Containment: Be prepared to shut down a
server/workstation or block services (e.g., e-mail, Web browsing, or
Internet access) to contain a malware incident. Decide who has the authority to make this decision based on the
malware activity. Early containment can stop the spread of malware and
prevent further damage to systems both internal and external to your
- Eradication: Be prepared to use a variety
of eradication techniques to remove malware from infected systems.
- Recovery: Restore the confidentiality, integrity, and availability of
data on infected systems, and reverse containment measures. This includes
reconnecting systems/networks and rebuilding compromised systems from
scratch or known good backups. The incident response team should assess
the risks of restoring network services, and this assessment should guide
management decisions about restoration of services.
- Report: Gather the lessons learned after each malware incident to
avert similar future incidents. Identify changes to security policy,
software configurations, and the addition of malware detection and
When it comes to responding to a malware incident, you can
deploy all the detection and monitoring tools on the planet, but you still have
to get your users involved! Educate your users on how to identify infections,
and teach them the steps to take if their system becomes infected.
Miss a column?
Check out the Security Solutions
Archive, and catch up on the most recent editions of Mike Mullins’ column.
Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security