Cyber Incident Response

Malware Playbook v2.6

Malware Playbook 1
OFFICIAL
Document Control
Title Malware Playbook
Version 2.6
Date Issued 10/11/2024
Status Final
Document owner Scottish Government
Creator name
Creator organisation name NCC Group
Subject category Cyber Incident Response Management
Access constraints OFFICIAL

Document Revision History

Version Date Author Summary of changes
2.4 15/08/2024 NCC Group Generic Version Created from Public Sector Playbook
2.5 30/08/20204 SC3 Minor changes to reflect SC3 procedures and also inclusion of wording
around Data Leak Recovery and Threat Actor Engagement plans

2.6 10/11/2024 NCC Group Final release following review

Malware Playbook 2
OFFICIAL
Contents
1. Introduction........................................................................................................................................................................................................4
1.1. Overview.....................................................................................................................................................................................................4
1.2. Purpose......................................................................................................................................................................................................4
1.3. Malware Definition......................................................................................................................................................................................4
1.4. Scope..........................................................................................................................................................................................................5
1.5. Review Cycle..............................................................................................................................................................................................5
2. Preparation Phase.............................................................................................................................................................................................6
3. Detect.................................................................................................................................................................................................................9
4. Analyse............................................................................................................................................................................................................13
5. Remediation – Contain, Eradicate and Recover..............................................................................................................................................15
6. Post Incident....................................................................................................................................................................................................19
7. Annex A: Flow Diagram...................................................................................................................................................................................21

Malware Playbook 3
OFFICIAL
1. Introduction
1.1. Overview
In the event of a cyber-incident, it is important that the organisation is able to respond, mobilise and execute an appropriate level of response to
limit the impact on the brand, value, service delivery and the public, client and customer confidence. Although all cyber incidents are different in
their nature and technologies used, it is possible to group common cyber incident types and methodologies together. This is to provide an
appropriate and timely response depending on the cyber incident type. Incident specific playbooks provide incident managers and stakeholders
with a consistent approach to follow when remediating a cyber-incident.
References are made to both a Core IT Cyber Incident Response Team (CIRT) and a CIRT within this document. This is in recognition of the
fact that organisations are different and will have their own response to cyber incidents. Some may initially manage an incident with a small
response team within IT services but where there is a confirmed compromise this may be escalated to an extended level CIRT comprised of
members of the organisation outside IT services who will deal with agreed categories of compromise. The Playbook as with the Cyber Incident
Response Plan (CIRP) will require to be adjusted to reflect the organisational make up.
Playbooks describe the activities of those directly involved in managing specific cyber incidents. However, it is important to acknowledge the
speed at which cyber incidents can escalate and become a significant business disruptor requiring both business continuity and consequence
management considerations. Early consideration should be given to engaging Business Continuity, Resilience and Policy Area Leads in order
that the wider issues can be effectively managed. Business Continuity and Resilience leads within the organisation must therefore be familiar
with the CIRP and Playbooks and how they link to wider Incident response arrangements.

1.2. Purpose
The purpose of this Cyber Incident Response: Malware Playbook is to define activities that should be considered when detecting, analysing
and remediating a malware incident. The playbook also identifies the key stakeholders that may be required to undertake these specific
activities.

Malware Playbook 4
OFFICIAL
1.3. Malware Definition
Malware is any software intentionally designed to negatively impact a computer, server, client, or computer network. Malware must be
implanted or introduced in some way into a target's computer. Malware can take the form of executable code, scripts, active content, and/or
other software.
Malware includes: computer viruses, worms, trojan horses, spyware, rootkits, botnet software, keystroke loggers, ransomware, cryptominers,
adware and malicious mobile code. Some types of malware (e.g. spyware, rootkits, ransomware, cryptominers and botnet software) are often
used during sophisticated cyber-attacks against organisations. In these cases, malware can be customised to target specific systems within an
organisation’s technical infrastructure and configured to avoid detection. Malware has a malicious intent, acting against the interest of the
computer user and so does not include software that causes unintentional harm due to some deficiency, which is typically described as a
software bug.

1.4. Scope
This document has been designed for the sole use of first responders such as the Service Desk team when responding to cyber incidents. It is
not standalone and must be used alongside your CIRP.
There are similar playbooks available as part of this project including but not limited to: Phishing, Malware and Ransomware. The appropriate
playbook should be used for the appropriate incident type.

1.5. Review Cycle

This document is to be reviewed for continued relevancy by the CIRT lead at least once every 12 months; following any major cyber security
incidents, a change of vendor, or the acquisition of new security services.

Malware Playbook 5
OFFICIAL
2. Preparation Phase
Preparation Phase
The preparation phase has the following objectives:
Phase  Prepare to respond to cyber security incident in a timely and effective manner;
objectives  Prepare organisational assets for malware outbreak;
 Inform employees of their role in remediating a malware incident including reporting mechanisms.

Activity Description Stakeholders

Prepare to Activities may include, but are not limited to:

respond
Ensure that:
 All endpoint, mobile devices and server systems have an anti-malware solution
deployed, which is regularly patched and monitored and receives regular
signature updates.  Information Security Manager
 Gateway anti-malware solutions are in place.  Head of IT
 Ensure user data is not stored locally but on shared drives, are backed up and
not on local administrator rights where practical.
 Ensure endpoint logging is active and collected.
 Consider implementing an Endpoint Detection and Response (EDR) solution.

 Head of Information Governance

Review and exercise cyber incident response procedures including technical and
 Head of IT
business roles and responsibilities, escalation to major incident management where
 Information Security Manager
necessary.
 Team Leader
 Service Delivery Manager
 Service Desk
Analysts/Technicians

Malware Playbook 6
OFFICIAL
  Legal Team
 Communications Team
 Resilience Lead
 Business Continuity Lead

Review recent cyber security incidents and the outputs.  Information Security Manager

Review threat intelligence for threats to the organisation, brands and the sector, as  Information Security Manager
well as common patterns and newly developing risks and vulnerabilities.

Ensure appropriate access to any necessary documentation and information,

including out-of-hours access, for the following:
 CIRP;  Information Security Manager
 <<Network Architecture Diagrams>>; ( insert Links)
 <<Data Flow Diagrams>>. ( insert Links)

Identify and obtain the services of a 3rd party Cyber Forensic provider.  Information Security Manager

Define Threat and Risk Indicators and Alerting pattern within the organisation’s  Information Security Manager
security information and event management (SIEM) solution SOAR / XDR solutions.

 Information Security Manager

Where associated with ransom demand consider Pre-defining parameters of Threat
 Senior/ Gold Command Team
Actor Engagement Plan to cover instances and considerations around engagement
of any Threat Actor. Activities may include, but are not limited to:;
 General circumstances in which a Threat Actor would be engaged
 Who would undertake the engagement (CIR etc.)
 Purpose of engagement - delay, intent to pay, proof of data exfiltrated, plead
etc.
 How exchanges will be recorded
 Defining Stakeholders to be involved specifically advice offered by Police
Scotland

Malware Playbook 7
OFFICIAL
  Understanding wider potential political ramifications of engagement

Activity Description Stakeholders

Activities may include, but are not limited to:

Conduct regular awareness campaigns to highlight information security risks faced  Head of IT
by employees, including:  Information Security Manager
 Phishing attacks and malicious emails;  Resilience Lead
 Ransomware;  Business Continuity Lead
Inform  Reporting a suspected cyber incident.
employees
 Head of IT
 Information Security Manager
 HR
Ensure regular security training is mandated for those employees managing  L&D Department
personal, confidential or high-risk data and systems.  Resilience Lead
 Business Continuity Lead

 Information Security Manager

Conduct exercising against this scenario at Tactical, Operational and Strategic  Resilience Lead
levels. Consider use of the NCSC Exercise in a Box Toolkit and or access to NCSC  Business Continuity Lead
Exercising Assured Service

Malware Playbook 8
OFFICIAL
3. Detect
Detection Phase
The detection phase has the following objectives:
 Detect and report a breach or compromise of the confidentiality, integrity or availability of organisational data;
Phase objectives  Complete initial investigation of the malware;
 Report the malware formally to the correct team as a cyber incident.

Activity Description Stakeholders

Detect and report Activities may include, but are not limited to:
the incident
Monitor detection channels, both automatic and manual, customer and staff
channels for the identification of a malware attack, including:
 Anti-malware system notifications to the IT team;
 User notification to the Service Desk;
 Any other notification that raises suspicion of a malware incident.  Information Security Manager
 Core IT CIRT
*Isolated malware infections are to be expected and are ordinarily dealt with
automatically by the anti-malware technology implemented by the organisation;
only if an outbreak is impacting on services should the cyber incident response
process and this playbook be engaged.

 Information Security Manager

Report the cyber incident via the Service Desk. If a ticket does not exist already,
 Core IT CIRT
raise a ticket containing minimum information.
To report an incident, follow the process defined in the CIRP.
Consider reporting to Police Scotland where criminal Investigation may be
warranted.

Malware Playbook 9
OFFICIAL
  Information Security Manager
Consider whether data loss or data breach has occurred and if so refer to data  Information Governance Team
breach playbook.  Core IT CIRT

Classify the cyber security incident, based upon available information related to  Information Security Manager
the malware attack the incident types (see CIRP).  Core IT CIRT

Report the Cyber Incident in accordance with the organisation’s CIRP.

Consider the Intelligence value to other organisations and share on the Cyber  Information Security Manager
Security Information Sharing Partnership (CiSP)  Core IT CIRT
For public sector organisations only: Consider whether the Incident meets the  CIRT
requirements of the Scottish Public Sector Cyber Incident Co-ordination
Procedure as contained within the CIRP.

Where appropriate consider reporting requirements to Information

 Information Security Manager
Commissioner’s Office (ICO), relevant Regulator and or Competent Authority
 Core IT CIRT
(NISD), National Cyber Security Centre (NCSC), Police Scotland and Scottish
 CIRT
Cyber Coordination Centre (SC3).

Activity Description Stakeholders

Initial Activities may include, but are not limited to:

investigation of
the incident  Information Security Manager
Mobilise the CIRT to begin initial investigation of the cyber security incident (see
 CIRT
staff contact details within CIRP).
The following may also be included
in the incident response team where
appropriate for the incident:
 Service Desk Analysts
 Server Desk Technicians

Malware Playbook 10
OFFICIAL
  Server Team
 Mobile Device Team

 Head of IT
 Information Security Manager
Identify likelihood of widespread malware infection.  Core IT CIRT
 CIRT

Collate initial incident data including as a minimum for the following;

 A timeline of: when the malware was first detected, malware activity, user
interactions, and any other significant events
 Malware identification method: via an anti-malware solution or other means  Head of IT
 Scope of the infection: in terms of systems and/or applications affected  Information Security Manager
 Does the malware appear to be spreading within the infrastructure?  Core IT CIRT
 The probable nature of the malware infection, if known.  CIRT
 Whether the anti-malware solution has successfully quarantined/cleansed the
infection.
 Likely containment options (e.g. based on publicly available information for
known malware).

Secure artefacts, including copies of suspected malicious software and forensic  Information Security Manager
copies of affected system(s) for future analysis.  Core IT CIRT

Research Threat Intelligence sources and consider CiSP submission to gain  Information Security Manager
further intelligence and support mitigation by others.  Core IT CIRT

Review cyber incident categorisation to validate the cyber security incident type  Security Manager
as a malware attack and assess the incident priority, based upon the initial  Core IT CIRT
investigation. (See CIRP for Incident Severity Matrix)

Activity Description Stakeholders

Malware Playbook 11
OFFICIAL
 Activities may include, but are not limited to:

 Information Security Manager

Report the cyber incident in accordance with the organisation’s CIRP.  CIRT

Consider the Intelligence value to other organisations and share on the CiSP
 Information Security Manager
For public sector organisations only: Consider whether the Incident meets the  Core IT CIRT
requirements of the Scottish Public Sector Cyber Incident Co-ordination  CIRT
Procedure as contained within the CIRP.
Incident reporting
Where appropriate consider reporting requirements to Information
 Information Security Manager
Commissioner’s Office (ICO), relevant Regulator and or Competent Authority
 Core IT CIRT
(NISD), National Cyber Security Centre (NCSC), Police Scotland and Scottish
 CIRT
Cyber Coordination Centre (SC3).

 Information Security Manager

 CIRT
Escalate in accordance with the CIRP.  Resilience Lead
 Business Continuity Lead

Activity Description Stakeholders

Activities may include, but are not limited to:

Establish the
requirement for a
Consider conducting a full forensic investigation, on the advice of legal counsel.  Information Security Manager
full forensic
All evidence handling should be conducted in line with the Association of Chief  Core IT CIRT
investigation
Police Officers (ACPO) Good Practice Guide for Digital Evidence.  CIRT

Malware Playbook 12
OFFICIAL
4. Analyse
Analysis Phase
The analysis phase has the following key objectives:
 Analyse the cyber incident to uncover the scope of the attack;
Phase objectives  Identify and report potentially compromised data and the impact of such a compromise;
 Establish the requirement for a full forensic investigation;
 Develop a remediation plan based upon the scope and details of the cyber incident.

Activity Description Stakeholders

Analyse the Activities may include, but are not limited to:
extent of the
incident  Service Desk Technicians
Engage technical staff from resolver groups.  Core IT CIRT

Classify the malware by submission to multiple AV vendors and determine the  Information Security Manager
family it belongs to.  Core IT CIRT

Scope the attack.  Information Security Manager

 A timeline of: when the malware was first detected, malware activity, user  Core IT CIRT
interactions, and any other significant events  CIRT
 Malware identification method: via an anti-malware solution or other means
 Scope of the infection: in terms of systems and/or applications affected
 Does the malware appears to be spreading within the infrastructure?
 The probable nature of the malware infection, if known.
 Whether the anti-malware solution has successfully quarantined/cleansed the
infection.
 Likely containment options (e.g. based on publicly available information for

Malware Playbook 13
OFFICIAL
 known malware).

 Information Security Manager

Reverse-engineer the malware in a secure environment to understand its  Core IT CIRT
mechanisms, and the functionality it implements.  CIRT

Execute the malware in a secure environment or sandbox, segregated from the  Information Security Manager
business network, to determine its behaviour on a test system, including created  Core IT CIRT
files, launched services, modified registry keys and network communications.

Review affected infrastructure for indicators of compromise derived from the  Information Security Manager
malware analysis to identify any additional compromised system(s).  Core IT CIRT

 Information Security Manager

Preserve all evidence to support attribution or anticipated legal action.  Core IT CIRT
 CIRT

Examine threat intelligence feeds to determine if the malware attack is bespoke  Information Security Manager
and targeted at specific accounts, infrastructure or systems.  Core IT CIRT

 Information Security Manager

Verify all infected assets are isolated and in the process of being recalled and  Core IT CIRT
quarantined.  CIRT

Malware Playbook 14
OFFICIAL
5. Remediation – Contain, Eradicate and Recover
Remediation Phase
The remediation phase has the following objectives:
Phase objectives  Contain the effects of the malware on the targeted systems;
 Eradicate the malware from the network through agreed mitigation measures;
 Recover affected systems and services back to a Business As Usual (BUA) state.

Activity Description Stakeholders

Contain the technical mechanisms of the malware attack, including:
Containment

Monitor for any new infections suggesting the malware is spreading across the
 Information Security Manager
infrastructure. Alert the CIRT to any significant changes in the scope of the
 Core IT CIRT
incident (e.g. the infection of a previously unaffected business system or site).

 Information Security Manager

Ensure that the latest malware definitions have been deployed via the anti-
 Core IT CIRT
malware solution.

 Information Security Manager

Initiate an estate-wide anti-malware scan incorporating indicators of compromise
 Core IT CIRT
observed during analysis stage.

 Information Security Manager

Identify infected assets and isolate from the network. Business continuity options
 Core IT CIRT
for users affected by such disconnection include:
 Replace disconnected devices with fresh builds from IT, where stocks permit
(implementing relevant patching).

Malware Playbook 15
OFFICIAL
  Direct users whose devices are isolated to work from an alternative location;
such as another office, a Disaster Recovery facility or from home.
Where necessary the corporate disaster recovery process will be followed.

 Information Security Manager

Determine whether the malware appears to be attempting to communicate with
 Core IT CIRT
outside parties (e.g. attempting to connect to botnet command and control
 CIRT
servers on the public internet) and take steps to block any such communication.

 Information Security Manager

Suspend the login credentials and sessions of suspected compromised accounts
 Core IT CIRT
implementing MFA where applicable.
 CIRT

Secure copies of the malicious code, affected systems and any identified
 Information Security Manager
artefacts for further investigation (engaging with forensic support if forensic
 Core IT CIRT
copies are required).

 Information Security Manager

 CIRT
Inform business data owner(s) and stakeholders of the progress of containment  Resilience Lead
activities.  Business Continuity Lead
 Policy Area Lead

Activity Description Stakeholders

Eradication Activities may include, but are not limited to:

 Information Security Manager

Identify removal methods from the results of the malicious code analysis and
 Core IT CIRT
trusted sources (AV providers).

Malware Playbook 16
OFFICIAL
  Information Security Manager
Complete an automated or manual removal process to eradicate malware or
 Core IT CIRT
compromised executables using appropriate tools.

 Information Security Manager

Conduct a restoration of affected networked systems from a trusted backup.
 Core IT CIRT

 Information Security Manager

Reinstall any standalone systems from a clean OS backup before updating with
 Core IT CIRT
trusted data backups.

 Information Security Manager

Reset any compromised account details.
 Core IT CIRT

 Information Security Manager

Continue to monitor for signatures and other indicators of compromise to prevent
 Core IT CIRT
the malware attack from re-emerging.

 Information Security Manager

Confirm policy compliance across the estate.
 Core IT CIRT

Activity Description Stakeholders

Activities may include, but are not limited to:
Recover to BAU
 Information Security Manager
Recover systems based on business impact analysis and business criticality.
 Core IT CIRT

 Information Security Manager

Complete malware scanning of all systems across the estate.
 Core IT CIRT

 Information Security Manager

Re-image compromised systems.
 Core IT CIRT

Malware Playbook 17
OFFICIAL
  Information Security Manager
Reset credentials and sessions of all involved system(s) and users implementing
 Core IT CIRT
MFA where applicable.

 Information Security Manager

Reintegrate previously compromised systems.
 Core IT CIRT

 Information Security Manager

Restore any corrupted or destroyed data.
 Core IT CIRT

 Information Security Manager

Restore any suspended services.
 Core IT CIRT

 Information Security Manager

Establish monitoring to detect further suspicious activity.
 Core IT CIRT

 Information Security Manager

Coordinate deployment of all necessary patches and vulnerability remediation
 Core IT CIRT
activities.

Malware Playbook 18
OFFICIAL
6. Post Incident
Post-Incident Activities Phase
The post-incident activities phase has the following objectives:
Phase objectives  Complete an incident report including all incident details and activities;
 Complete the lessons identified and problem management process;
 Publish appropriate internal and external communications.

Activity Description Stakeholders

Draft a post-incident report that includes the following details as a minimum:

 Details of the cause, impact and actions taken to mitigate the cyber incident  Senior Stakeholders
including: timings, type and location of incident as well as the effect on users;  Head of Information
 Activities that were undertaken by relevant resolver groups, service providers Governance
Incident reporting
and business stakeholders that enabled normal business operations to be  Head of IT
resumed;  Audit Committee
 Recommendations where any aspects of people, process or technology could  Information Security Manager
be improved across the organisation to help prevent a similar cyber incident
from reoccurring, as part of a formalised lessons identified process.

 Information Security Manager

Lessons
Complete the formal lessons identified process to feedback into future  CIRT
Identified &
preparation activities.  Resilience Lead
Problem
Management
 Information Security Manager
Consider sharing lessons identified with the wider stakeholders.
 CIRT
 Resilience Lead
 Business Continuity Lead

Malware Playbook 19
OFFICIAL
  Information Security Manager
Conduct root cause analysis to identify and remediate underlying vulnerabilities.
 CIRT

 Information Security Manager

Human Review staff welfare; working hours, overtime, time off in lieu and expenses.  HR
Resources

Activities may include, but are not limited to:

 Information Security Manager

 CIRT
Publish internal communications in line with the communications strategy to  Communications
inform and educate employees on malware attacks and security awareness.  Resilience Lead
 Business Continuity Lead
Communications

Publish external communications, if appropriate, in line with the communications

strategy to provide advice to customers, engage with the market, and inform  Head of IT
press of the cyber incident.  Information Security Manager
These communications should provide key information of the cyber incident  Communications Team
without leaving the organisation vulnerable or inciting further malware attacks.

Malware Playbook 20
OFFICIAL
7. Annex A: Flow Diagram

Malware Playbook 21
OFFICIAL