Containment, Eradication and Recovery
Activity 14.1 Incident Containment Options
In this section I have re-diagrammed the 3 main incident containment options.
- Segmentation - Creating a seperate section of the existing network in order to contain the attacker or affected systems.
- Isolation - Removing the attacker from internal network access, but permitting access to the internet. This technique can be used to monitor attacker communication with external servers.
- Removal - Completely removing the affected network or attacker from any network access.
Activity 14.2 Incident Response Activities
Comptia categorizes incident response activities as the following:
- Containment: Containing the damage of the attack
- Eradication: Removing the attacker, all artifacts and malicious code caused by the attack.
- Validation: Confirming the success of eradication.
- Postincident Activities: Preparation of reports and lesson-learned sessions.
The following activities map to the Comptia categories:
| Activity | Category |
| Patching | Validation |
| Sanitization | Eradication |
| Lessons Learned | Postincident Activities |
| Reimaging | Eradication |
| Isolation | Containment |
| Scanning | Validation |
| Removal | Containment |
| Reconstruction | Eradication |
| Permission Verification | Validation |
| User Account Review | Validation |
| Segmentation | Containment |
Activity 14.3 Sanitization and Disposal Techniques
Here are the main three options fo media sanitization during the recovery phase of incident response.
- Clear: Uses software or hardware products to overwrite existing storage with non-sensitive data. This approach uses the standard read and write operations available to the device. In some devices the only option may be to restore a device to factory settings.
- Purge: Application of media specific techniques to directly erase data such as overwrite, block erase and cryptographic erasure. The media is still useable after application of this technique.
- Destroy: The intent of destruction is to render the target data totally infeasible to retrieve. This may also result in the media being rendered useless for the future storage of data. Techniques include disintegration, melting, incineration and shredding.
The below diagram, re-created from NIST SP 800-88: Guidelines for Media Santization outlines the decision flow needed to determin the correct form of media sanitization.
Glossary
A glossary of all the terms, acronyms and slang I run across for this chapter.
| Containment | Designed to isolate the incident and prevent spread |
| Incident Response | Consists of the stages of: 1.Preparation 2. Detection and Analysis 3. Containment, Eradication and Recovery 4. Post Incident Activity |
| Network Segmentation | Proactive strategy designed to divide parts of the network |
| Isolating Affected Systems | Affected systems are disconnected from the rest of the network, only internet access is allowed. |
| Isolating the Attacker | Uses sandbox systems of no value to monitor the attacker and collect information |
| Removal | Strongest containmetn response. Completely disconnecting the effected network, even from the internet. |
| Dead Mans Switch | Tactic which prevents removal by adding scripts in malware which ping outbound to a host |
| Eradication | Remove all artifacts and traces of an attack, i.e. removing any leftover malicious code and sanitizing storage. |
| Recovery | Restoring normal operations while increasing reselience against future attacks |
| Clear | Media disposal technique - Applies logical, software techniques to write over and sanitize data |
| Purge | Media disposal technique - Applies logical and physical tecniques such as degaussing, overwriting and block erase |
| Destory | Media disposal technique - Results in the inability to use the media in future storage, include pulverization, incerneration, melting, etc. |
| Incident Recovery Validation | Perform the following actions: 1. Check only authorized user accounts exist. 2. Confirm the accounts have the correct permissions 3. Verify all systems are logging properly 4. Conduct vulnerability scans |