Lesson Progress
0% Complete

Engage
Initial Triage
Interview key individuals
Notify internal management chain (preliminary)
Determine if illegal activity is involved
Determine if inappropriate internal involvement
Ensure appropriate evidence collection and preservation

Detect/Analyze
Disconnect or isolate malware-infected systems
Analyze malware-infected systems
Review the output and status of anti-virus software
Research AV vendor databases
Analyze network traffic for malware activity
Research current attack intelligence and recent vulnerabilities
Sandbox malware-infected systems
Update internal management team as appropriate (assessment)

Respond
Notify legal counsel of any illegal or inappropriate activity
Notify constituents (status update)
Apply type-specific malware containment measures
Ensure updated antivirus signatures are deployed
Notify external parties as appropriate
Notify law enforcement
Identify specific malware-infected devices
Define and document malware eradication strategy
Recover each malware-infected system
Harden and/or patch all other vulnerable systems
Remove temporary containment measures
Notify computer security organizations and resources
Notify HR
Notify public relations department

Post-Incident
Notify internal management chain (resolution)
Notify constituents (resolution)
Properly dispose of incident information
Post-incident review
Generate incident report
Update policies and procedures

Complete

Initial