Cyber Incident Response

Incident recovery

What is recovery?

Returning the organization back to normal

  • Service restoration

  • Validation and testing

  • Certification of proper operations

  • Damage assessment

Service restoration

Needed to restore computer images back to clean state

Verify accessibility of backup images

Consult with DR/BCP for times to recovery - e.g., MTTR, RPO - may be useful

Validation and testing

Will need to check restored systems to verify any infections are eradicated

If there are new malware signatures, scan images as well

Sometimes the first round of effort to eradicate fails

  • Devices might get missed the first time

Certification of proper operations

See if root cause vulnerabilities still exist

Sometimes specific open ports are signs of infection

PreviousEradication tools and techniquesNextService and System restoration

Last updated