When an intrusion is detected on a system, an organisation may wish to allow the intrusion to continue for a short period of time in order to fully understand the extent of the compromise and to assist with planning intrusion remediation activities. However, an organisation allowing an intrusion to continue in order to collect data or evidence should first establish with their legal advisors whether such activities would be breaching the Telecommunications (Interception and Access) Act 1979.
To increase the likelihood of intrusion remediation activities successfully removing malicious actors from their system, an organisation can take preventative measures to ensure malicious actors have limited forewarning and awareness of planned intrusion remediation activities. Specifically, using an alternative system to plan and coordinate intrusion remediation activities will prevent alerting malicious actors if they have already compromised email, messaging or collaboration services. In addition, conducting intrusion remediation activities in a coordinated manner during the same planned outage will prevent forewarning malicious actors, thereby depriving them of sufficient time to establish alternative access points or persistence methods on the system.
Following intrusion remediation activities, an organisation should determine whether malicious actors have been successfully removed from the system, including whether or not they have since reacquired access. This can be achieved, in part, by capturing and analysing network traffic for at least seven days following remediation activities.
5 controls