TO TOP

IT-Sicherheitsvorfall/IT-Notfall | A-Z | Kontakt/Beratung

Immediate measures to take if you suspect an infection with malware

The measures listed should be carried out by IT specialists. Measures taken and results of the incident analysis must be documented and communicated to the ISB/RUB Cert team.

Isolation of the affected system

An infected system must not be operated on the RUB network!

  • The suspicious system must be immediately disconnected from the RUB network (LAN/Wi-Fi/Eduroam/mobile network).
  • The suspicious system must be shut down immediately if encryption is suspected (“ransomware” attack).

Information on continued operation or resumption can be found under the following points Data recovery, Elimination, Forensics.

Detection
  1.  The suspicious system must be started in an isolated environment and in secure mode – if possible via a (read-only) boot disk.
  2.   As a rule, the suspicious system must first be checked for obvious evidence of compromise (known as indicators of compromise, or IoCs). These include, among other things:
    • unauthorised new accounts
    • installed non-service-related software (e.g. toolkits)
    • unauthorised changes or deletions of system and user data
    • unauthorised encryption of information and devices
  3.  The suspicious system must then be examined using two different professional malware analysis tools:
    • all local data carriers used with the system (hard drives, partitions, USB devices, etc.) must be searched for IoCs.
  4. Together with the user, perform an analysis of all network storage devices (file shares, cloud storage) used with the suspicious system.
  5. If the system is equipped with the central RUB EDR software, relevant log messages from the system must be backed up and documented.
    • The contact person is the local IT administration or the IT.SERVICES IT-Security-Team (email contact).
Documentation

The entire process of incident analysis and handling must be documented  (see Documentation).

Reaction (necessary notifications)
  • If an IoC is found, this must be documented as a finding. This confirms the suspicion of compromise and results in the incident being escalated to a security incident
  • Findings must be reported immediately by IT support to the ISB-/RUB-Cert-Team. This report is independent of the incident analysis documentation and serves to escalate incident handling quickly if necessary.
  • Depending on the type of finding, the IT team on site should immediately initiate any necessary measures to contain the network.(Containment in the network)
  • Users should be made aware of their obligations – refer to the summary of user information in case of suspicion: Nutzerinformationen im Verdachtsfall (german text)
    • Immediate implementation of password changes
    • Obligation to provide information on data protection aspects
      This report is mandatory and must be carried out by the user independently of the reporting of findings by IT support.

    • Informing superiors about the security incident

  • Employees in the department must be informed – usually in consultation with their superiors – and questioned about similar suspected cases. If the cause of the infection is known, all employees in the department must be warned and instructed accordingly.
Elimination

Even if findings are available, there is no guarantee that all unauthorised modifications can be identified and automatically corrected.

  • Explain to the user that the system must not be used any further. Inform the user about how malware spreads.
  • Check the possibility of data recovery. Offer the user data recovery. Any further use of the infected system by the user is not permitted.
  • Explain to the user that the system/operating system must be reinstalled (see Notes on disposal).
  • Support the user in changing their password, see notes on changing passwords -> Hinweise zum Passwortwechsel
  •  If necessary, assist the user in revoking S/MIME certificates, private PGP and SSH keys.
Data recovery

Data recovery must be carried out by IT specialists..

  •  The infected system must be started in an isolated environment and in safe mode – if possible via a (read-only) boot disk.
  •  The data to be recovered must be copied to new or verified removable media that is free of malicious code.
  •  The removable media must then be checked again for malicious code (see Isolation and Detection)
  •  Only when it has been ensured that the removable media are free of malicious code may they be connected to systems in the RUB network
Completion

When you have finished all the steps, send the the complete set of documents to the ISB/RUB-Cert team (Email Contact).

Documentation

The entire incident analysis and handling process must be documented for each asset.

 To be documented by IT support:

  •  Date and time when the suspicion arose
  •  Affected system (inventory number, IP address, designation/name)
  •  Affected user accounts (first name/last name, RUBloginID)
  •  Description of the incident
  • The procedure for incident analysis
    • Analysis tools used
    • Results and findings
    • Scan results, log data as an attachment
  • Measures taken to contain and resolve the incident
  • Communication with those involvedReports to the Information Security office and to superiors
  • Processed by
  • Date and time of completion

Containment in the network

  • All computers located in the local subnet and all removable media used in the area (USB sticks, etc.) must be treated immediately as systems suspected of being infected with malicious code (see Isolation and Detection).
  • Depending on the nature and severity of the incident, the Information Security Office and RUB-Cert will initiate further measures.

Notes on disposal

The measures for elimination must be carried out by IT specialists. They should be chosen in relation to the type of finding.

If the finding suggests an APT actor, the system's motherboard and internal disks should be subjected to a forensic investigation (see Forensik). If forensics are not to be carried out, the motherboard and disks must be disposed of and replaced with new components.

If there are no strong indications of an APT actor, the motherboard firmware should be renewed and the internal disks of the system completely erased. This can be done using low-level format programmes or by completely overwriting the disks with random numbers, including any host-protected areas.

Forensics

Whether a forensic investigation must or should be carried out on an infected system at RUB is determined by the Information Security office  and RUB-Cert. The decision depends on the initial report of findings by IT support and the nature and severity of the incident.

External service providers are called in for a forensic investigation. In this case, the infected system should not be shut down. At the very least, firmware and disks must not be deleted, overwritten or even disposed of.

However, normally, no forensic investigation is carried out on individual infected workstation systems.

In any case, the infected system must be disconnected from the RUB network and no longer used!