Recovery and restoration tools and techniques

Common recovery and restoration tools

• Imaging software

• Spare/replacement hardware

• Device management suites

• Change and configuration base lining tools and documentation

• System monitoring suites

Most of these will already exist as part of normal IT operations

Imaging software

Infected or destroyed systems need to be re-imaged

May be under the umbrella of IT

Verify images are not compromised before using

Hardware

Some incidents may require replacement of hardware

• Physical intrusion and compromise

• Physical intrusion where equipment is destroyed

• DDoS that causes CPUs to get so hot that motherboard is damaged

Device management suites

Some of the restoration activities may be part of these suites already

Makes it easier and more efficient when restarting large numbers of devices

Work with IT on access and/or licensing

Change and configuration base lining tools

Official baselines will help you establish "normal" operations

There may be lag time between system updates and image refreshes

In larger organizations, changes to systems may still be happening during the incident

Smaller organizations without change management should rely on baseline documentation

System monitoring tools

Need to be able to monitor systems for any recurring abnormal behavior

Can also help with establishing new baselines

• I.e., updates to new hardware or software due to breach may cause slight change in system behavior

  • Abnormal or new behavior may not be malicious