Module 11: Incident Eradication and Recovery

Eradication

List every hosts and device affected.
Perform a complete wipe and reimage of affected system(s).
Pinpoint initial point of infection, identify IoCs, and assess affected processes/applications on each system.
Reset passwords for compromised/partially compromised accounts.

Remove malicious artifacts/threats via manual/automated eradication.

Partial reimaging is aimed at restoring only certain parts affected, i.e. OS if data disks/network drives are unaffected.

Identify and prioritize vital systems and data.

Best to use incremental backups for these data-heavy components. Snapshots are also instrumental.

Be thorough in post-recovery threat assessments. Simulate real-world attacks through penetration testing and red teaming.

Last updated 1 year ago