systems are detected and patched; this exposure could help handlers make better containment and
Facilitating Communication and Coordination
One of the most common problems during malware incident handling, particularly in widespread
incidents, is poor communication and coordination. Anyone involved in an incident, including users, can
inadvertently cause additional problems because of a limited view or understanding of the situation. To
improve communication and coordination, an organization should designate in advance a few individuals
or a small team to be responsible for coordinating the organization’s responses to malware incidents. The
coordinator’s primary goal is to maintain situational awareness by gathering all pertinent information,
making decisions that are in the best interests of the organization, and communicating pertinent
information and decisions to all relevant parties within the organization in a timely manner. For malware
incidents, the relevant parties often include end users, who might be given instructions on how to avoid
infecting their systems, how to recognize the signs of an infection, and what to do if a system appears to
be infected. The coordinator also needs to provide technical guidance and instructions to all staff
assisting with containment, eradication, and recovery efforts, as well as giving management regular
updates on the status of the response and the current and likely future impact of the incident.
Because widespread malware incidents often disrupt e-mail services, internal Web sites, Voice over IP,
and other forms of communication, organizations should have several communication mechanisms
established so that good communication and coordination among incident handlers, technical staff,
management, and users can be sustained during adverse events. Possible communication methods include
the organization’s phone system, cell phones, pagers, e-mail, fax, and paper. Even under good conditions,
it is often effective to use different communication methods for different audiences (for example,
communicating to users through e-mail, but using a standard conference call phone number for
discussions among key technical personnel). Management updates could occur in person, through
conference calls, or through a voice mailbox greeting that is updated regularly with the incident status and
other helpful information. Section 4.3.1 describes other methods for communicating with users, including
sending broadcast voice mail messages and posting signs in high-traffic office areas.
Organizations should also establish a point of contact for answering questions about the legitimacy of
malware alerts. Many organizations use the IT help desk as the initial point of contact and give help desk
agents access to sources of information on real malware threats and virus hoaxes so that they can quickly
determine the legitimacy of an alert and provide users with guidance on what to do.
should caution users not to forward malware alerts to others without first confirming that the alerts are
Acquiring Tools and Resources
Organizations should also ensure that they have the necessary tools (hardware and software) and
resources to assist in malware incident handling. Examples of tools include packet sniffers and protocol
analyzers. Section 3.4 describes several additional tools such as antivirus software, spyware detection
and removal utilities, and host-based IPS software that incident handlers should be able to use. Incident
handling teams may choose to build hash sets of known good operating system and application files so
that they are better prepared to determine how malware has altered a system.
Examples of resources
Resources that can be helpful for determining the legitimacy of virus alerts include the Computer Incident Advisory
Capability (CIAC) (http://ciac.llnl.gov/ciac/
), the Computer Virus Myths site (http://www.vmyths.com/
), and major antivirus
manufacturers’ Web sites.
34 NIST’s National Software Reference Library (NSRL) has hashes for files from many operating systems and applications.
Handlers can also create hashes of files periodically. Handlers should rely on standard hash sets such as those from the
include lists of contact and on-call information, commonly used port numbers, and known critical assets.
Table 4-1 provides a checklist of key tools and resources for malware incident handlers:
Table 4-1. Tools and Resources for Malware Incident Handlers
Tool / Resource
Malware Incident Handler Communications and Facilities
Contact information (e.g., phone numbers, e-mail addresses) for team members and others within
and outside the organization (primary and backup contacts) who may have helpful information, such
as antivirus vendors and other incident response teams
On-call information for other teams within the organization, including escalation information
Pagers or cell phones to be carried by team members for off-hour support, onsite communications
Alternate Internet access method for finding information about new threats, downloading patches
and updates, and reaching other Internet-based resources when Internet access is lost during a
severe malware incident
War room for central communication and coordination; if a permanent war room is not necessary,
the team should create a procedure for procuring a temporary war room when needed
Malware Incident Analysis Hardware and Software
Laptops, which provide easily portable workstations for activities such as analyzing data and sniffing
Spare workstations, servers, and networking equipment, which may be used for trying out
malware in an isolated environment; if the team cannot justify the expense of additional equipment,
perhaps equipment in an existing test lab could be used, or a virtual lab could be established using
OS emulation software
Blank media, such as floppy diskettes and CDs, for storing and transporting malware samples and
other files as needed
Packet sniffers and protocol analyzers to capture and analyze network traffic that may contain
Up-to-date, trusted versions of OS executables and analysis utilities, stored on floppy diskettes
or CDs, to be used to examine systems for signs of malware infection (e.g., antivirus software,
spyware detection and removal utilities, system administration tools, forensics utilities)
Malware Incident Analysis Resources
Port lists, including commonly used ports and known Trojan horse and backdoor ports
Documentation for OSs, applications, protocols, and antivirus and intrusion detection signatures
Network diagrams and lists of critical assets, such as Web, e-mail, and File Transfer Protocol
Baselines of expected network, system and application activity
Malware Incident Mitigation Software
Media, including OS boot disks and CDs, OS media, and application media
Security patches from OS and application vendors
Disk imaging software and backup images of OS, applications, and data stored on secondary
NSRL project whenever possible, and create custom hash sets primarily for organization-specific files. Because Federal
agencies must use FIPS-approved encryption algorithms contained in validated cryptographic modules, handlers should use
SHA-1 instead of MD5 for file hashes whenever possible.
35 Additional resources are listed in Appendix F.
Organizations should strive to detect and validate malware incidents rapidly, because infections can
spread through an organization in a matter of minutes. Early detection can help the organization
minimize the number of infected systems, which should lessen the magnitude of the recovery effort and
the amount of damage the organization sustains. Although major incidents might hit an organization so
quickly that there is no time for anyone to react, most incidents occur more slowly.
Because malware can take many forms and be distributed through many means, there are many possible
signs of a malware incident and many locations within an organization where the signs might be recorded
or observed. It sometimes takes considerable analysis, requiring extensive technical knowledge and
experience, to confirm that an incident has been caused by malware, particularly if the malware threat is
new and unknown. After malware incident detection and validation, incident handlers should determine
the type, extent, and magnitude of the problem as quickly as possible so that the response to the incident
can be given the appropriate priority. Sections 4.2.1 through 4.2.3 provide guidance on understanding the
signs of malware incidents, identifying the characteristics of incidents, and determining incident scope
and prioritizing response efforts.
4.2.1 Understanding Signs of Malware Incidents
Signs of a malware incident fall into two categories: precursors and indications. A precursor is a sign
that a malware attack may occur in the future. An indication is a sign that a malware incident may have
occurred or may be occurring.
Most malware precursors take one of the following forms:
Malware Advisories. Antivirus vendors and other security-related organizations distribute and
post advisories concerning major new malware threats. Incident handlers should subscribe to
malware advisory mailing lists so that they receive advance warning of threats that could affect
the organization in the coming hours or days. Incident handlers might also hear reports of new
malware from general security mailing lists, as well as from peers at other organizations that have
already been affected. In addition, organizations can pay for early warning services that identify
and analyze emerging malware threats, with the intent of providing reliable information to service
subscribers before the information is publicly available from other sources, such as antivirus
Security Tool Alerts. Tools such as antivirus software and IPSs can detect and quarantine,
delete, or otherwise prevent instances of malware from infecting systems. These actions cause
security tool alerts to be generated, which might be signs of a subsequent incident. For example,
after malware attempts but fails to enter a system through one means (resulting in alerts), the
same type of malware could enter the organization through an unmonitored attack vector (e.g., an
unsecured modem) or reach a system that had not been properly secured, causing an incident.
Detecting precursors gives organizations an opportunity to prevent incidents by altering their security
posture and to be on the alert to handle incidents that occur shortly after the precursor. In the most
serious cases, if it seems nearly certain that the organization is about to experience a major incident,
organizations might decide to act as if the incident were already occurring and begin to mobilize their
incident response capabilities. Nevertheless, many, if not most, malware incidents do not have clear
precursors, and precursors often appear immediately before an incident; therefore, organizations should
not rely on such advance warning.
Although incidents frequently occur without clear precursors, there are often many indications that a
malware incident is underway. Examples of indications are as follows:
A Web server crashes.
Users complain of slow access to hosts on the Internet, exhaustion of system resources, slow disk
access, or slow system boots.
Antivirus software detects that a host is infected with a worm and generates an alert.
A system administrator sees a filename with unusual characters.
A host records an auditing configuration change in its log.
Whenever a user tries to run a Web browser, the user’s laptop reboots itself.
An e-mail administrator sees a large number of bounced e-mails with suspicious content.
Security controls such as antivirus software and personal firewalls are disabled on many hosts.
A network administrator notices an unusual deviation from typical network traffic flows.
Most of these indications could have causes other than malware. For example, a Web server could crash
because of a non-malware attack, an OS flaw, or a power disruption, among other reasons. Bounced e-
mails could be caused by a system hardware failure or e-mail server misconfiguration, or they might be
spoofed by a spammer. These complications illustrate the challenges involved in detecting and validating
a malware incident, and the need to have well-trained, technically knowledgeable incident handlers who
can perform analysis quickly to determine what has happened. Handlers should be adept at reviewing
possible indications from many different sources and correlating data among the sources to identify
malware-related activity. The primary sources of indications fall into a few broad categories:
Users. Users often report malware-related indications to the help desk and other technical
support staff. For example, users might see antivirus alerts on their workstations, experience
operational failures, or notice unusual behavior. Users may also be the cause of an infection and
may call the help desk after inadvertently doing something they should not have.
IT Staff. System, network, and security administrators, as well as other IT staff members,
usually are familiar with normal activity and are sensitive to observed significant deviations from
Security Tools. Some security tools, such as antivirus software and IPSs, may record explicit
indications of malware. Other tools, such as network monitoring software, may report deviations
from expected behavior without specifically labeling it as malware related. The alerts and other
information produced by security tools need to be monitored frequently or continuously to be of
value in detecting malware.
The variety of characteristics exhibited by malware is so great that it is not feasible to develop a
comprehensive list of indications. However, Table 4-2 lists the most likely indications of a malware
incident for various types of malware and attacker tools. This table may help individuals identify and
classify possible malware incidents more quickly. Indications for incidents in which malware has
achieved administrator-level access are not represented in Table 4-2. If malware achieves this level of
access on a system, it may be able to perform virtually any possible action on the system. Accordingly,
the indications for such incidents are nearly endless.
Documents you may be interested
- pdf viewer library c#: Copy picture to pdf Library application component .net azure asp.net mvc The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta69-part1869
- pdf viewer library c#: How to copy and paste image from pdf to word control software platform web page windows winforms web browser The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta7-part1870
- pdf viewer library c#: How to cut image from pdf file application SDK tool html winforms .net online The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta70-part1871
- pdf viewer library c#: How to copy picture from pdf Library software component .net wpf winforms mvc PROSTEP-3DPDFPro_2.1_Help_Doc5-part189
- pdf viewer library c#: Copying image from pdf to word application software cloud html winforms asp.net class The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta71-part1872
- pdf viewer library c#: How to paste picture on pdf software control dll winforms web page windows web forms The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta72-part1873
- pdf viewer library c#: Cut picture pdf control software system azure windows html console The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta73-part1874
- pdf viewer library c#: How to copy pdf image to powerpoint SDK software project winforms wpf html UWP The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta74-part1875
- pdf viewer winforms c#: Copy image from pdf reader control Library platform web page .net winforms web browser The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta75-part1876
- pdf viewer winforms c#: How to paste a picture into a pdf Library software component .net winforms asp.net mvc The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta76-part1877
- pdf viewer winforms c#: How to copy pictures from pdf in software Library dll winforms asp.net windows web forms The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta77-part1878
- pdf viewer winforms c#: Copy pictures from pdf to word SDK software service wpf winforms azure dnn The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta78-part1879
- pdf viewer winforms c#: Copy image from pdf to powerpoint Library control class asp.net azure wpf ajax The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta79-part1880
- pdf viewer winforms c#: Copy and paste image from pdf to pdf Library software class asp.net winforms windows ajax The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta8-part1881
- pdf viewer winforms c#: Copy images from pdf to word application Library cloud html asp.net wpf class PROSTEP-3DPDFPro_2.1_Help_Doc6-part190
- pdf viewer winforms c#: How to copy and paste an image from a pdf Library control API .net web page asp.net sharepoint The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta80-part1882
- pdf viewer winforms c#: Paste picture into pdf software application dll windows html .net web forms The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta81-part1883
- pdf viewer winforms c#: How to copy text from pdf image to word Library software component asp.net winforms .net mvc The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta82-part1884
- pdf viewer winforms c#: Copy and paste image into pdf application Library tool html .net web page online The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta83-part1885
- pdf viewer winforms c#: How to copy pictures from pdf to word software application dll winforms windows wpf web forms The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta84-part1886
- pdf viewer winforms c#: Paste image into pdf Library software class asp.net winforms wpf ajax The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta85-part1887
- pdf viewer winforms c#: How to copy picture from pdf file SDK Library project winforms asp.net windows UWP The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta86-part1888
- pdf viewer winforms c#: How to copy text from pdf image to word SDK software API .net windows web page sharepoint The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta87-part1889
- pdf viewer winforms c#: Copy and paste image from pdf software Library cloud windows asp.net .net class The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta88-part1890
- pdf viewer winforms c#: Copying images from pdf files application Library utility azure .net html visual studio The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta89-part1891
- pdf viewer winforms c#: How to copy pictures from pdf file SDK Library service wpf asp.net html dnn PROSTEP-3DPDFPro_2.1_Help_Doc7-part191
- pdf viewer winforms c#: How to copy an image from a pdf to word SDK Library service wpf asp.net html dnn The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta9-part1892
- pdf viewer winforms c#: Paste image into pdf acrobat software Library dll windows asp.net wpf web forms The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta90-part1893
- pdf viewer winforms c#: How to copy picture from pdf software application cloud windows html .net class The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta91-part1894
- pdf viewer winforms c#: How to paste a picture into pdf software control dll winforms azure .net web forms The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta92-part1895
- pdf viewer winforms c#: Pasting image into pdf SDK Library project winforms .net wpf UWP The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta93-part1896
- pdf viewer winforms c#: Paste picture pdf software SDK cloud windows wpf web page class The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta94-part1897
- pdf viewer winforms c#: Copy image from pdf to ppt control software platform web page winforms .net web browser The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta95-part1898
- pdf viewer winforms c#: How to copy images from pdf file software control dll windows web page azure web forms The%20World%20Best%20Boyfriend%20BY%20Durjoy%20Datta96-part1899
- pdf viewer winforms c#: Copy a picture from pdf control application platform web page html azure web browser The+Lion,+The+Witch+and+The+Wardrobe+by+C.S.+Lewis0-part1900
- pdf viewer winforms c#: How to copy pdf image into powerpoint software application dll winforms windows web page web forms The+Lion,+The+Witch+and+The+Wardrobe+by+C.S.+Lewis1-part1901
- Copy a picture from pdf PoythressVernInTheBeginningWasTheWord21-part21
- How to copy and paste a picture from a pdf document protecting-personal-data-in-online-services-learning-from-the-mistakes-of-others0-part192
- Extract images from pdf files without using copy and paste The+Lion,+The+Witch+and+The+Wardrobe+by+C.S.+Lewis2-part1902
- Copy paste image pdf The+Lion,+The+Witch+and+The+Wardrobe+by+C.S.+Lewis3-part1903
- How to copy an image from a pdf in preview The+Lion,+The+Witch+and+The+Wardrobe+by+C.S.+Lewis4-part1904
- How to copy and paste a pdf image into a word document The+Lion,+The+Witch+and+The+Wardrobe+by+C.S.+Lewis5-part1905
- How to copy a picture from a pdf file The+Lion,+The+Witch+and+The+Wardrobe+by+C.S.+Lewis6-part1906
- How to copy a picture from a pdf file The+Lion,+The+Witch+and+The+Wardrobe+by+C.S.+Lewis7-part1907
- How to cut an image out of a pdf The+Lion,+The+Witch+and+The+Wardrobe+by+C.S.+Lewis8-part1908
- Copy image from pdf to pdf The+Lion,+The+Witch+and+The+Wardrobe+by+C.S.+Lewis9-part1909
- How to copy an image from a pdf to word The-5-Best-Heart-Centered-Online-Marketing-Strategies0-part1910
- How to copy picture from pdf to word The-5-Best-Heart-Centered-Online-Marketing-Strategies1-part1911
- How to paste a picture in a pdf protecting-personal-data-in-online-services-learning-from-the-mistakes-of-others1-part193
- How to copy pdf image into powerpoint the-girl-in-the-spider-s-web-millennium-s-david-lagercrantz0-part1914
Documents you may be interested