According to the NIST incident handling guide, the steps for handling an incident include preparation, detection and analysis, containment, eradication, recovery, and post-incident activity12. In the scenario described, the incident response team has detected the malware, eradicated it by removing the malware, and recovered by restoring the functionality and data of infected systems. However, the step of containment, which should occur before eradication and recovery to prevent the spread of malware and further damage, appears to have been missed. Containment strategies are crucial to limit the scope and magnitude of an incident1.

References :=

NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide1

NIST Incident Response: Your Go-To Guide to Handling Cybersecurity2