After a cyber attack has been contained it will be necessary to eradicate key components of the security incident (e.g. removing the attack from the network, deleting malware and disabling breached user accounts), as well as identifying and mitigating vulnerabilities that were exploited.
This process may include:
- Identifying all affected hosts within (and sometimes beyond) your organisation, so that they can be fixed.
- Locating the source of the attack in order to remove all instances of the software.
- Carrying out malware analysis to assess the damage and discover catalogue indicators of compromise that will reveal other machines that have been affected by the same malware or intruders.
- Checking to see if the attacker has responded in any way to your actions.
- Anticipating a different form of attack and developing a response.
- Allowing sufficient time to ensure that the network is secure and that there is no response from the attacker.
Eradication must be carried out swiftly to prevent attackers launching a new attack. Attackers will often come back when they know that they are being investigated and that they have been discovered. Therefore, it is important to ensure that all elements of the attack have been eradicated and that the attackers cannot carry out further attacks.
Keep a detailed written log of every action taken during the investigation to assist in responding to future attacks and developing a plan of action to stop events happening again.