登录查看更多内容

What are the best ways to verify that a security incident has been fully eradicated?

由人工智能和领英社区提供技术支持

When a security incident occurs, such as a malware infection, a data breach, or a denial-of-service attack, it is not enough to just stop the immediate threat. You also need to verify that the incident has been fully eradicated, meaning that no traces of the malicious activity remain in your system or network. This is a crucial step to prevent recurrence, data loss, or further damage. But how can you be sure that you have completely eliminated the source and impact of the incident? Here are some best practices to follow.

此文章中的业界达人

由社区从 7 条内容中精选。了解更多

Richard Sotchesa

Assoc. C|CISO | ISO/IEC 27032 LCM | (ISC)2 CC
Manan Vora

Leading Security Architecture and Engineering in Tredence, MSc IT, CISSP, CISM, Security+, API Security Architect…
Ang sijie

Lead Engineer - Telco Service Management

1 Identify the root cause

The first step to verify that a security incident has been fully eradicated is to identify the root cause of the incident. This means finding out how the attacker gained access, what tools or techniques they used, what data or resources they targeted, and what actions they performed. You can use various sources of evidence, such as logs, alerts, network traffic, forensic images, or malware analysis, to reconstruct the timeline and scope of the incident. By understanding the root cause, you can determine what needs to be removed or restored to achieve full eradication.

添加您的观点

Richard Sotchesa

Assoc. C|CISO | ISO/IEC 27032 LCM | (ISC)2 CC
举报内容
Treating the symptoms alone is inadequate as most attacks persist within the system or network even after the treatment. The initial step to fully eradicating the incident is to identify its root cause. Gain initial information from alerts generated by sensors put in place within endpoints and the network. Logs also provide constructive insights in identifying the root cause of an incident.

已翻译

赞
Manan Vora

Leading Security Architecture and Engineering in Tredence, MSc IT, CISSP, CISM, Security+, API Security Architect, Azure 2x, Forcepoint 3x, Fortinet 3x, PCI DSSv4.0 Implementor, ISO/IEC 27001:2022 LA, CCIO
举报内容
Identifying the root cause is the first step as with this team will identity about tools used, Techniques used, data or resources which was targeted, what damage done in the target system, if target system can be recovered and at last to understand on how such incidents can be prevented for future (lesson learned).

已翻译

赞

2 Isolate and clean the affected systems

The next step is to isolate and clean the affected systems, such as servers, workstations, devices, or applications, that were compromised or impacted by the incident. You can use tools such as antivirus, anti-malware, or disk wiping software to scan and remove any malicious files, code, or configurations from the systems. You can also use backup or recovery software to restore any data or settings that were corrupted or deleted by the incident. Make sure to test the functionality and integrity of the systems after cleaning them, and keep them isolated until you are confident that they are secure.

添加您的观点

Manan Vora

Leading Security Architecture and Engineering in Tredence, MSc IT, CISSP, CISM, Security+, API Security Architect, Azure 2x, Forcepoint 3x, Fortinet 3x, PCI DSSv4.0 Implementor, ISO/IEC 27001:2022 LA, CCIO
举报内容
As soon as team is aware of the system which got targeted then the system has to be isolated from the network and logs to be preserved for further investigation. Antivirus, Anti Malware tool, Disk Wiping tools, Memory Analysis tools can be used to understand the damage. Further with help of Disk Wiping tool system can be converted again and then systems integrity can be checked again.

已翻译

赞

3 Update and harden the security controls

The third step is to update and harden the security controls that are designed to protect your system or network from future incidents. This means applying any patches, updates, or upgrades to your software, firmware, or hardware that can fix any vulnerabilities or bugs that were exploited by the attacker. It also means reviewing and enhancing your security policies, procedures, or configurations that can prevent or detect any unauthorized access, activity, or changes. For example, you can strengthen your passwords, encryption, firewall, or authentication methods, or enable more logging, monitoring, or alerting features.

添加您的观点

Manan Vora

Leading Security Architecture and Engineering in Tredence, MSc IT, CISSP, CISM, Security+, API Security Architect, Azure 2x, Forcepoint 3x, Fortinet 3x, PCI DSSv4.0 Implementor, ISO/IEC 27001:2022 LA, CCIO
举报内容
Regularly patching to your software, firmware and hardware can fix all known vulnerabilities or bugs which can be used by attacker. We also should follow frequently review our standard document which we apply to our infra. It can help us to ensure that infra is configured with best configuration.

已翻译

赞

4 Educate and communicate with the stakeholders

The final step is to educate and communicate with the stakeholders who are involved or affected by the incident. This means informing and advising your users, customers, partners, or regulators about the nature, impact, and resolution of the incident, and what actions they need to take or expect from you. It also means training and educating your staff, especially those who have security roles or responsibilities, about the lessons learned, best practices, or recommendations from the incident. By doing so, you can increase the awareness, trust, and compliance of your stakeholders, and improve your security culture and posture.

添加您的观点

Ang sijie

Lead Engineer - Telco Service Management
举报内容
Whilst having all the security features setup is important. The most important variable for security incidents are the people. People need to be educated and aware of the risks for their actions as usually a system with high security usually leads to inconvenience to the users but its something which needs to be juggled

已翻译

赞
Manan Vora

Leading Security Architecture and Engineering in Tredence, MSc IT, CISSP, CISM, Security+, API Security Architect, Azure 2x, Forcepoint 3x, Fortinet 3x, PCI DSSv4.0 Implementor, ISO/IEC 27001:2022 LA, CCIO
举报内容
Education is important to not only to stakeholders but also to employees because they should be aware of doe's / don'ts during the time of incident.

已翻译

赞

5 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

Waleed El-Naggar

IT Project Management | CISO | Cybersecurity | MBA | PMP | CISA | CRISC | ISO 27001 | PCI-DSS | PMO | Banking
举报内容
Root cause analysis: Reduces errors coming from the same root cause Puts tools and solutions in place to prevent or address future issues Enables teams to resolve incidents more efficiently Implements tools to log and monitor for potential issues

已翻译

赞

Information Security

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

What are the best ways to verify that a security incident has been fully eradicated?

1

2

3

4

5

1 Identify the root cause

2 Isolate and clean the affected systems

3 Update and harden the security controls

4 Educate and communicate with the stakeholders

5 Here’s what else to consider

Information Security

给文章评分

感谢您的反馈

更多Information Security相关文章

更多相关阅读内容

What are the best ways to verify that a security incident has been fully eradicated?

1

2

3

4

5

1 Identify the root cause

2 Isolate and clean the affected systems

3 Update and harden the security controls

4 Educate and communicate with the stakeholders

5 Here’s what else to consider

Information Security

给文章评分

感谢您的反馈

查看其他技能