RP0007: Malware Outbrake
Summary
| ID | RP0007 |
|---|---|
| Brief Description | Response playbook for malware outbrake response |
| Author | @ermack_community |
| Creation Date | 2019/01/31 |
| Modification Date | 2019/01/31 |
| Tags |
|
Workflow
- Execute Response Actions step by step. Some of them directly connected, which means you will not be able to move forward not finishing the previous step. Some of them are redundant, as those that are related to the blocking a threat using network filtering systems (containment stage)
- Start executing containment and eradication stages concurrently with next identification steps, as soon as you will receive information about malicious hosts
- If phishing led to code execution or remote access to victim host, immediately start executing Generic Post Exploitation Incident Response Playbook
- Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time
Playbook Actions
Preparation
Identification
Identify affected systems and users
Identify compromised data
Identify means of attack
Containment
Block External Ip Address
Block External Domain
Block External Url
Eradication
Report Incident To External Companies
Recovery
Unblock Blocked Ip
Unblock Blocked Domain
Unblock Blocked Url