Activity 14.1 Incident Containment Options

In this section I have re-diagrammed the 3 main incident containment options.

  1. Segmentation - Creating a seperate section of the existing network in order to contain the attacker or affected systems. Segmentation
  2. Isolation - Removing the attacker from internal network access, but permitting access to the internet. This technique can be used to monitor attacker communication with external servers. Isolation
  3. Removal - Completely removing the affected network or attacker from any network access. Removal

Activity 14.2 Incident Response Activities

Comptia categorizes incident response activities as the following:

  1. Containment: Containing the damage of the attack
  2. Eradication: Removing the attacker, all artifacts and malicious code caused by the attack.
  3. Validation: Confirming the success of eradication.
  4. Postincident Activities: Preparation of reports and lesson-learned sessions.

The following activities map to the Comptia categories:

Activity Category
Patching Validation
Sanitization Eradication
Lessons Learned Postincident Activities
Reimaging Eradication
Isolation Containment
Scanning Validation
Removal Containment
Reconstruction Eradication
Permission Verification Validation
User Account Review Validation
Segmentation Containment

Activity 14.3 Sanitization and Disposal Techniques

Here are the main three options fo media sanitization during the recovery phase of incident response.

  • Clear: Uses software or hardware products to overwrite existing storage with non-sensitive data. This approach uses the standard read and write operations available to the device. In some devices the only option may be to restore a device to factory settings.
  • Purge: Application of media specific techniques to directly erase data such as overwrite, block erase and cryptographic erasure. The media is still useable after application of this technique.
  • Destroy: The intent of destruction is to render the target data totally infeasible to retrieve. This may also result in the media being rendered useless for the future storage of data. Techniques include disintegration, melting, incineration and shredding.

The below diagram, re-created from NIST SP 800-88: Guidelines for Media Santization outlines the decision flow needed to determin the correct form of media sanitization. Sanitization


A glossary of all the terms, acronyms and slang I run across for this chapter.

Containment Designed to isolate the incident and prevent spread
Incident Response Consists of the stages of: 1.Preparation 2. Detection and Analysis 3. Containment, Eradication and Recovery 4. Post Incident Activity
Network Segmentation Proactive strategy designed to divide parts of the network
Isolating Affected Systems Affected systems are disconnected from the rest of the network, only internet access is allowed.
Isolating the Attacker Uses sandbox systems of no value to monitor the attacker and collect information
Removal Strongest containmetn response. Completely disconnecting the effected network, even from the internet.
Dead Mans Switch Tactic which prevents removal by adding scripts in malware which ping outbound to a host
Eradication Remove all artifacts and traces of an attack, i.e. removing any leftover malicious code and sanitizing storage.
Recovery Restoring normal operations while increasing reselience against future attacks
Clear Media disposal technique - Applies logical, software techniques to write over and sanitize data
Purge Media disposal technique - Applies logical and physical tecniques such as degaussing, overwriting and block erase
Destory Media disposal technique - Results in the inability to use the media in future storage, include pulverization, incerneration, melting, etc.
Incident Recovery Validation Perform the following actions: 1. Check only authorized user accounts exist. 2. Confirm the accounts have the correct permissions 3. Verify all systems are logging properly 4. Conduct vulnerability scans