Question

• A complete description of steps required to remove any detectable trace of activities in the network.

Answer 1

Answer:

• Step 1. Identify the threat and attack vectors.
• Step 2. Identify the infected computers.
• Step 3. Quarantine the infected computers.
• Step 4. Clean the infected computers.
• Step 5. Post-op and prevent recurrence.

Identify the threat and attack vectors

To contain and eliminate a threat, you must know all of the threats that are present on the computer, and what the threats were designed to do. You must also understand which methods the threats use to propagate throughout the network.

Identify the infected computers

Once you have identified the threat, you must determine if other computers are infected.

Quarantine the infected computers

After you have identified a threat and you understand how the threat spreads, you have to prevent the threat from spreading through the network.

It is critical that you remove the compromised computer from the network or add it to a "quarantine network." Otherwise, the threat will spread as it infects other computers on the network.

Clean the infected computers

With the threat isolated to individual computers, you can remove the threat and reverse its side effects. As you take the steps outlined in this section, you should assess the following:

• Is it more cost-effective to freshly rebuild or reinstall a compromised computer?
• Can you easily remove the threat from the computer by running an antivirus scan, or are additional tasks required?
• Did the threat make any system changes on the infected computers? If so, should you revert those changes?
• When is it safe to add the computers back to the network?

Post-op and prevent recurrence

Incident review and network audit

After you have removed the threat, you should perform the following:

• Review the incident and make necessary changes in internal processes and procedures to avoid this type of attack in the future.
• Perform a network audit with your security team to determine how the threat entered the network. Understanding the threat's attack vectors from Step 1 will come in handy.
• Implement security measures to prevent another incident.
• Some people believe that security and usability are inversely proportionate to each other, with an increase in security increasing the steps needed to perform a task. Ease-of-use, while more efficient, can open security holes that make it easier for threats to spread. Weak points in a network are usually those technologies that make computers more accessible and user-friendly.