conducting-malware-incident-response

# Conducting Malware Incident Response ## When to Use - EDR or antivirus detects malware execution on one or more endpoints - A user reports suspicious system behavior indicative of malware infection - Threat intelligence indicates a malware campaign targeting the organization's industry - Network monitoring detects beaconing traffic consistent with known malware C2 patterns - A file detonation in a sandbox returns a malicious verdict **Do not use** for analyzing malware samples in a research context; use dedicated malware analysis procedures for reverse engineering. ## Prerequisites - EDR platform with process tree visibility and host isolation capability - Malware sandbox environment (Cuckoo, ANY.RUN, Joe Sandbox, Hybrid Analysis) - Access to threat intelligence platforms for malware family identification (VirusTotal, MalwareBazaar) - Forensic imaging tools for evidence preservation (FTK Imager, KAPE) - Clean system images or gold images for endpoint rebuild - MITRE ATT&CK framework reference for technique mapping ## Workflow ### Step 1: Detect and Confirm Malware Presence Validate the malware alert and gather initial indicators: - Review EDR alert details: detection name, file path, hash (SHA-256), process tree - Check if the detection is a known malware family or generic heuristic detection - Query the file hash against VirusTotal, MalwareBazaar, and internal threat intelligence - Examine the process execution chain to determine how the malware was delivered ```...