Eradication, Recovery and Post-incident Actions Flashcards
Remove the cause of the incident and bring the system back to a secure state
Eradication and Recovery
The complete removal and destruction of the cause of the incident
The simplest option for eradicating a contaminated system is to replace
it with a clean image from a trusted store
Eradication
A group of procedures that an organization uses to govern the disposal of
obsolete information and equipment, including storage devices, devices with
internal data storage capabilities, and paper records
Sanitization
A method of sanitizing a self-encrypting drive by erasing the media encryption key
Cryptographic erase (CE) is a feature of self-encrypting drives
Cryptographic Erase (CE)
A method of sanitizing a drive by overwriting all bits on a drive to zero
Zero-fill is not a reliable method to use with SSDs and hybrid drives
Zero-fill
A method of sanitizing a solid-state device using manufacturer provided software
Secure Erase (SE)
A method of sanitizing that utilizes physical
destruction of the media by mechanical shredding, incineration, or degaussing
Secure disposal should be performed to sanitize media with top secret or highly
confidential information
Secure Disposal
Eradication Actions
Reconstruction
Reimaging
Reconstitution
A method of restoring a system that has been sanitized using scripted installation
routines and templates
Reconstruction
A method of restoring a system that has been sanitized using an image-based
backup
Reimaging
A method of restoring a system that cannot be sanitized using manual removal,
reinstallation, and monitoring processes
Reconstitution
Seven Steps for Reconstitution
o Analyze processes and network activity for signs of malware
o Terminate suspicious processes and securely delete them from the system
o Identify and disable autostart locations to prevent processes from executing
o Replace contaminated processes with clean versions from trusted media
o Reboot the system and analyze for signs of continued malware infection
o If continued malware infection, analyze firmware and USB devices for infection
o If tests are negative, reintroduce the system to the production environment
Remove the cause of the incident and bring the system back to a secure state
Actions taken to ensure that hosts are fully reconfigured to operate the business
workflow they were performing before the incident occurred
Recovery
Actions taken to ensure that hosts are fully reconfigured to operate the business
workflow they were performing before the incident occurred
Patching
Permissions
Logging
System Hardening
Installing a set of changes to a computer program or its supporting data designed
to update, to fix, or to improve it
Patching
All types of permissions should be reviewed and reinforced after an incident
Permissions
Ensure that scanning and monitoring/log retrieval systems are functioning
properly following the incident
Logging
Ensure that scanning and monitoring/log retrieval systems are functioning
properly following the incident
Logging
The process of securing a system’s configuration and settings to reduce IT
vulnerability and the possibility of being compromised
System Hardening
Occurs once the attack or immediate threat has been neutralized and the system is
restored to secure operation
Post-Incident Activities
An essential analyst skill that is used to communicate information about the
incident to a wide variety of stakeholders
Report Writing
A report written for a specific audience with key information about the incident
for their use
Incident Summary Report
The preservation of evidence based upon the required time period defined by
regulations if there is a legal or regulatory impact caused by an incident
Evidence Retention
An analysis of events that can provide insight into how to improve response
processes in the future
Lessons Learned
