Once a threat has been detected and contained, it has to be removed or

remediated.

When it comes to malware infection,

this means removing the malware from affected systems.

But in some cases, this may not be possible, so

the affected systems have to be restored to a known good configuration.

This can be done by rebuilding the machine or restoring from backup.

Take care when removing malware from systems because some malware

is designed to be very persistent, which means it's resistant to being removed.

But before we can start the recovery, we have to contain the incident.

This might involve shutting down affected systems to prevent further damage or

spread of an infection.

On the flip side of that, affected systems may just have network access removed to

cut off any communication with the compromised system.

Again, the motivating factor here would be to prevent the spread of any infection or

to remove remote access to the system.

The containment strategy varies depending on the nature of the affected system.

Let's say a critical piece of networking infrastructure was compromised.

A quick shutdown may not work since it would impact other business operations.

On top of that,

removing networking access might trigger fail safes in attack software or malware.

Let's say a piece of malware is designed to periodically check into a command and

control server.

Severing network communications with the infected host might cause the malware

to trigger a self destruct function in an attempt to destroy evidence.

Forensic analysis may need to be done to analyze the attack.

This is especially true when it comes to a malware infection.

In the case of forensic analysis, affected machines might be investigated very

closely to determine exactly what the attacker did.

This is usually done by taking an image of the disk,

essentially making a virtual copy of the hard drive.

This lets the investigator analyze the contents of the disk

without the risk of modifying or altering the original files.

If that happened, it would compromise the integrity of any forensic evidence.

Usually, evidence gathering is also part of the incident response process.

This provides evidences to law enforcement if the organization

wants to pursue legal action against the attackers.

Forensic evidence is super useful for

providing details of the attack to the security community.

It allows others security teams to be aware of new treats and

lets them better defends themselves.

It's also very important that you get members from your legal team involved in

any incident handling plans.

Because an incident can have legal implications for the company, a lawyer

should be available to consult and advise on the legal aspects of the investigation.

It's crucial in order to avoid complications or issues of liability.

Members of the public relations team should also get involved

since these incidents can have an impact on a company's reputation.

There is another part of the cleanup and recovery phase I should call out.

We'll need to use information from the analysis

to prevent any further intrusions or infections.

First, we determine the entry point to figure out how the attacker got in, or

what vulnerability the malware exploited.

This needs to be done at the same time as the cleanup.

If you remove the malware infection without also addressing the underlying

vulnerability, systems could become reinfected right after you clean them up.

As you learned in the system administration and IT infrastructure

services course, postmortems can be a great way to document incidents.

The learnings from postmortems can be used to prevent those incidents

from happening again.

If a critical system has been compromised,

remediation can be complicated because of downtime during remediation and recovery.

Logs have to be audited to determine exactly what the attacker did

while they had access to the system.

They'll also tell you what data the attacker accessed.

Systems must be scrutinized to ensure no back doors have been installed, or

malware planted on the system.

Depending on the severity of the compromise or

infection, it might be necessary to rebuild the system from the ground up.

Cleanup would typically involve restoring from a backup point

to a known good configuration.

Infected or corrupted system files could be restored from known good copies.

Sometimes, cleanup can be very simple and quick.

I hope that's what you find more often than not.

If a website was defaced, the attacker may have simply uploaded their defaced

HTML file and pointed the web server at the new file.

A configuration file change and

deletion of the attacker's HTML file would undo those changes.

Even so, efforts need to be made to determine how the attacker got access.

That vulnerability should be closed to prevent any future attacks.

When all traces of the attack have been removed and discovered and

the known vulnerabilities have been closed, you can move on to the last step.

That's when systems need to be thoroughly tested to make sure proper functionality

has been restored.

Usually, affected systems would also remain under close watch,

sometimes with additional detailed monitoring and logging enabled.

This is to watch for any additional signs of an intrusion

in case something was missed during the cleanup.

It's also possible that the attacker will attempt to attack the same target again.

There's a very high chance that they use the same or

similar attack methodology on other targets in your network.

It's important to incorporate the lessons you've learned from any incident

into your overall security defenses.

Update firewall rules and

ACLs if an exposure was discovered in the course of the investigation.

Create new definitions and rules for intrusion detections systems

that can watch for the signs of the same attack again.

Stay vigilant and prepared to protect your system from attacks.

Remember that at some point, some sort of security breach will happen.

Just stay calm and execute your plan to counterattack the breach.

Incident Response and Recovery

IT Security: Defense against the digital dark arts

Rencontrer les enseignants