Lesson Progress
0% Complete

Initial Triage
Interview key individuals
Notify internal management chain (preliminary)
Determine if illegal activity is involved
Determine if inappropriate internal involvement
Ensure appropriate evidence collection and preservation

Disconnect or isolate malware-infected systems
Analyze malware-infected systems
Review the output and status of anti-virus software
Research AV vendor databases
Analyze network traffic for malware activity
Research current attack intelligence and recent vulnerabilities
Sandbox malware-infected systems
Update internal management team as appropriate (assessment)

Notify legal counsel of any illegal or inappropriate activity
Notify constituents (status update)
Apply type-specific malware containment measures
Ensure updated antivirus signatures are deployed
Notify external parties as appropriate
Notify law enforcement
Identify specific malware-infected devices
Define and document malware eradication strategy
Recover each malware-infected system
Harden and/or patch all other vulnerable systems
Remove temporary containment measures
Notify computer security organizations and resources
Notify HR
Notify public relations department

Notify internal management chain (resolution)
Notify constituents (resolution)
Properly dispose of incident information
Post-incident review
Generate incident report
Update policies and procedures