Eradication, Recovery and Post-incident Actions Flashcards
Remove the cause of the incident and bring the system back to a secure state
Eradication and Recovery
The complete removal and destruction of the cause of the incident
The simplest option for eradicating a contaminated system is to replace
it with a clean image from a trusted store
Eradication
A group of procedures that an organization uses to govern the disposal of
obsolete information and equipment, including storage devices, devices with
internal data storage capabilities, and paper records
Sanitization
A method of sanitizing a self-encrypting drive by erasing the media encryption key
Cryptographic erase (CE) is a feature of self-encrypting drives
Cryptographic Erase (CE)
A method of sanitizing a drive by overwriting all bits on a drive to zero
Zero-fill is not a reliable method to use with SSDs and hybrid drives
Zero-fill
A method of sanitizing a solid-state device using manufacturer provided software
Secure Erase (SE)
A method of sanitizing that utilizes physical
destruction of the media by mechanical shredding, incineration, or degaussing
Secure disposal should be performed to sanitize media with top secret or highly
confidential information
Secure Disposal
Eradication Actions
Reconstruction
Reimaging
Reconstitution
A method of restoring a system that has been sanitized using scripted installation
routines and templates
Reconstruction
A method of restoring a system that has been sanitized using an image-based
backup
Reimaging
A method of restoring a system that cannot be sanitized using manual removal,
reinstallation, and monitoring processes
Reconstitution
Seven Steps for Reconstitution
o Analyze processes and network activity for signs of malware
o Terminate suspicious processes and securely delete them from the system
o Identify and disable autostart locations to prevent processes from executing
o Replace contaminated processes with clean versions from trusted media
o Reboot the system and analyze for signs of continued malware infection
o If continued malware infection, analyze firmware and USB devices for infection
o If tests are negative, reintroduce the system to the production environment
Remove the cause of the incident and bring the system back to a secure state
Actions taken to ensure that hosts are fully reconfigured to operate the business
workflow they were performing before the incident occurred
Recovery
Actions taken to ensure that hosts are fully reconfigured to operate the business
workflow they were performing before the incident occurred
Patching
Permissions
Logging
System Hardening
Installing a set of changes to a computer program or its supporting data designed
to update, to fix, or to improve it
Patching
