Module 11: Incident Eradication and Recovery

Eradication

Developing an Eradication Plan

  1. List every hosts and device affected.

  2. Perform a complete wipe and reimage of affected system(s).

  3. Pinpoint initial point of infection, identify IoCs, and assess affected processes/applications on each system.

  4. Reset passwords for compromised/partially compromised accounts.

Eradicating Threats

Remove malicious artifacts/threats via manual/automated eradication.

Reimaging

Partial reimaging is aimed at restoring only certain parts affected, i.e. OS if data disks/network drives are unaffected.

Recovery

Business Impact and Recovery

Identify and prioritize vital systems and data.

Recovery on Data-Heavy Components

Best to use incremental backups for these data-heavy components. Snapshots are also instrumental.

Validating the Recovery Process

Be thorough in post-recovery threat assessments. Simulate real-world attacks through penetration testing and red teaming.

PreviousModule 10: Active Incident ContainmentNextModule 12: Post-Mortem Reporting

Last updated