CompTIA CYSA+ CS0-002 – Eradication, Recovery, and Post-incident Actions Part 1

1. Eradication, Recovery, and Post-incident Actions (Introduction)

In this section of the course, we’re going to continue our discussion of the Incident response process by focusing on our final two phases the Eradication and Recovery phase and the Post Incident Actions phase. We’re going to be covering only domain four in this section of the course, specifically, Objective 4. 2. Again, Objective 4. 2 states that given a scenario, you must apply the appropriate incident response procedure. As I said in this section of the course, though, we’re only going to be focused on eradication and Recovery phase and the post Incident activity phase of the Incident Response process.

And therefore, this is what we’re going to be focusing on as we go through this section of the course. Now, as we move through this section, we’re going to start out by discussing the concept of Eradication and the type of actions that are performed in this phase of the incident response. After that, we’ll cover the recovery and the associated recovery actions that we may be performing here. Then we’re going to move into the post Incident Activity phase of our Incident response, which is where we’re going to discuss things like lessons learned and documenting our results.

Finally, we’re going to put all this together by talking about a real world incident response and how it’s conducted. And we’ll walk through a scenario and conduct this real world incident response activity together as a type of demonstration. For you to better understand and connect all the different phases of an incident response from the last three sections of the course into one solidified concept. So let’s continue our discussions of instant responses by moving into the Eradication Recovery phase and then the Post Incident Activity phase.

2. Eradication (OBJ 4.2)

Eradication. In this lesson, we’re going to move into the eradication and recovery phase. When we talk about eradication recovery, this is going to remove the cause of the incident and bring the system back to a secure state. Now, in the CompTIA model, they combine both of these into one stage, but really they are two different actions. When we start with the first part of this, we’re dealing with eradication, and eradication is focused on the complete removal and destruction of the cause of the incident. For example, if your server has been infected with malware, the eradication is going to be focused on methods to remove it and suppress its ability to do any further damage.

Now, the exact method of eradication is going to depend on the source of the infection or what the specific incident was. But for our purposes in our generic planning, it really doesn’t matter that much. Now, later on, when you start dealing with a specific situation or an incident that’s caused by an attacker, that is when the specifics will matter. And your team will have to develop a plan that will adequately eliminate that threat. It’s important to make sure that you fully have identified the threat, and this way you don’t miss any signs of the infection and you root it out all the way throughout the system.

There is nothing worse than going through all the effort in an instant response and then finding out that you had three systems that were infected, not just one, with that particular piece of malware. And now you have to start all over again because it’s moving throughout your network and these systems are continually getting infected. So the simplest option when you try to eradicate a system is to replace it with a clean image from a trusted source. If I know this server has an infection on it and I can just format it and then reinstall a brand new operating system on it from a known good image, that is going to be the simplest way to eradicate it. But that’s not always possible.

A lot of times you can’t just format the hard drive because some malware can actually hide itself and bypass itself through a format stage. Instead, we don’t want to rely on just a quick format. We want to make sure we are doing proper sanitization and secure disposal. Now, when I talk about sanitization, this is a group of procedures that an organization uses to govern the disposal of obsolete information and equipment, including storage devices, devices with internal data, storage capabilities, or paper records. When you’re dealing with standardization, there are lots of different ways of destroying this data. And as I said, it’s not just as easy as doing a quick format. Instead, you have to use one of the more secure methods.

If you’re using a solid state device, you might have the ability to do a cryptographic erase. This is also abbreviated as Ce. Now, a cryptographic erase is a method of sanitizing a self encrypting drive by erasing the media encryption key. Now, most of the time when you’re dealing with cryptographic erase or Ce, this is going to be a feature of self encrypting drives. And these self encrypting drives tend to be solid state drives. Now, if you’re going to be dealing with a regular type of hard drive, you might have to do what’s known as a zero fill. A zero fill is a method of sanitizing a drive by overwriting every single bit on that drive with zeros. To do this inside of a Windows system, you can do a zero fill using the command prompt and the format command.

You’ll type in something like format the drive letter you want to format, slash FS to say that you want an NTFS file system, and then slash P one, which tells it how many passes you want to do with the number of zeros over that drive. In this example, I’m doing one set of zeros across every bit on that drive. If I want to do something a little bit more secure, I might do three sets of zeros or seven sets of zeros. This way, I can override the drive multiple times to make sure I got all that information off. Depending on the level of data you have on that and the different classification level, that’s going to determine how many passes you need to do. Now, the big problem that we have with a zero fill, though, is it’s really only reliable when you’re dealing with magnetic media.

If you’re dealing with something like an SSD or a hybrid drive, these zero fill procedures are not going to be very useful to you. Now, the reason for this is that solid state drives and hybrid drives have a wear leveling routine built into the drive controller, and this helps them communicate which locations are available for use by the software. So even though you’re telling it to do a zero across every single bit on that solid state drive, if you’re using a solid state drive, that wear leveling routine might miss some places, and that means there could be data that could be recovered. Now, another thing you can use is what’s known as a Secure Erase. A Secure Erase is a method of sanitizing a solid state device using manufacturer provided software.

Again, because of that wear leveling routine, using this specific Secure Erase software can override that ability of using that wear leveling and make sure you get all the data sanitized. Now, I mentioned earlier that it’s going to depend on the type of data you have on a drive of which method you’re going to use to sanitize it. Now, if you have something that is top secret or highly confidential, you want to make sure you’re sanitizing it using Secure Disposal. Now what is Secure disposal. Well, Secure Disposal is a method of sanitizing that utilizes physical destruction of the media by mechanical shredding, incineration, or degousing.

Yes, that’s right. You can actually shred a metal hard drive into smaller pieces, and by doing this, you can ensure nobody will ever get the data off of that drive. This level of physical destruction is reserved for things that have a very high classification, such as proprietary data, topsecret, government information, or confidential business transactions. Now, most of us aren’t going to use secure disposal because we don’t want to destroy the physical hardware. We want to be able to reuse that hardware in our servers or in our workstations. And so in those cases, we would have to use something like cryptographic erase if you’re using a self encrypting drive.

Zero fill if you’re going to be using a magnetic drive like the one shown here, or secure a race if you’re using a solid state device. It’s important for you to know which of these three methods you’re going to use based on the type of device that you’re trying to sanitize. Finally, if you want to learn more information about sanitizing your media, I do recommend you look at the NIST special publication 888. This has all the guidelines for media sanitation, and it’s going to cover all of the different topics that you might use in the real world, depending on where your organization is and what type of business you’re doing.

3. Eradication Actions (OBJ 4.2)

Eradication actions. In this lesson, we’re going to talk about the three main types of eradication actions. We’ve already talked about how we’re going to sanitize our media, but now we’re going to focus on reconstruction, reimaging, and reconstitution. When I talk about reconstruction, this is a method of restoring a system that has been sanitized using scripted installation routines and templates. Essentially, I would have some kind of computer, and we’ve gone through some sort of an incident. We have now sanitized that hard drive, and now we want to restore that system back to the way it was. To do that, we would run a simple script that would copy all the files and bring it back to a known good state based on those scripts that we have.

Now, another way we can do this is what’s known as reimaging. When we deal with reimaging, this is a method of restoring a system that has been sanitized completely, and this way we use an image based backup. So with reconstruction, we’re using scripts to copy over files or replace files that may have been modified. But with reimaging, we are doing a bit by bit copy of a hard drive based on an image that we have that is a known good image and bringing it back to that state. Now, when we deal with reconstitution, this is a method of restoring a system that cannot be sanitized using manual removal, reinstallation, or monitoring processes.

Now, reconstitution is a lot harder to do than reconstruction or reimaging. With reconstruction or reimaging, we can actually copy over entire files or the entire file system in the case of reimaging. But with reconstitution, we are trying to essentially do surgery with a scalpel. Here, we’re trying to pull out exact little bits of code, whether it’s a single file or a single configuration setting, and be able to bring ourselves back to that known good state. Now, to do this, we have seven steps for reconstitution. The first step is to analyze processes and network activity for signs of malware. Essentially, we need to monitor that system and find out exactly where all the malware is and what it’s doing.

We’re going to use things like wireshark and sysinternals and Process Explorer and things like that to identify all the bad things that are existing on that system. Then we move into step two, which is terminating those suspicious processes and securely deleting them from the system. This way, we can make sure we get all of those bad processes off the system, and hopefully they won’t return.Now, if we have data files that are infected, we also need to recover information from those files before we quarantine or delete them, because we don’t want to lose that information. Remember, our goal with reconstitution is getting our system back to the known good state, and so we want to make sure we have that data as well.

Our third step is to identify and disable auto start locations to prevent processes from executing. Now, if you remember we’ve talked about auto start locations before. This is places that are inside the file system, the registry and the task scheduler that could then bring back malware to maintain persistence. So we want to identify any of those locations that may have some kind of process that will launch that malware again, our fourth step is to replace contaminated processes with clean versions from trusted media. Again, if I’m going to go and install some new piece of software I want to make sure it’s coming from a known good source because if I just downloaded off the internet I might bring additional malware into my system and so I need to make sure that I have a known good trusted media source.

Most companies have what they call a definitive media library or DML and this is an area where you store all of your CDs and DVDs and hard drives with known trusted good copies of your software for you to use during reconstitution. Our fifth step is to reboot the system and analyze it for signs of continued malware infection. So we think we’ve gotten everything out. Now we’re going to go ahead and reboot the system and if we missed something we would then have malware being reintroduced into the system. If we got it all, that means we’re in a good state and that means we did our job. Then we’re going to go into our 6th step.

If we see a continued malware infection, meaning we miss something, we now have to look harder and find out how is it staying on that system. We’re going to have to analyze the firmware and any USB devices that are there because they may be the source of the infection since we already removed the software and the processes in our earlier steps. Now under step seven, if all the tests were negative that that means we don’t have any malware on the system anymore. Everything is back to normal. So now we can reintroduce that system back into the production environment and that means we have solved this problem and we have reconstituted that resource and it’s ready to go back to doing its job again.

4. Recovery (OBJ 4.2)

Recovery. Now, when we started out this section, we talked about the fact that CompTIA combines both eradication and recovery but they are different actions. So at this point we’ve covered eradication. Now we’re going to talk about recovery first. For a quick review, we talked about eradication and recovery as the removal of the cause of the incident and bringing the system back to a secure state. Now we talk about recovery specifically, we’re talking about the actions taken to ensure the hosts are fully reconfigured to operate the business, workflow the way they were performing those things before the incident occurred. Essentially, we want to get back to known good and we want to prevent an incident from happening again.

Now, one of the things about recovery that you have to realize is it is the longest and most challenging part of your incident response. Recovery is focused on returning your systems and networks to a normal state of health and operations. This may involve restoring the systems from a known good backup, completely reinstalling your operating system, or even buying a brand new piece of equipment to replace a now untrusted device. In addition to these basic recovery actions, you also need to go forward and harden those devices, change the passwords, increase the security at the network perimeter and the host level, and ensure that whatever was able to break into your network and infect it cannot get back in again.

This is what recovery is all about. Now, let’s talk about a few examples of incident recovery. Let’s assume we had a database breach. Somebody was able to go in and delete data from your database. Well, how are you going to recover from that? The first thing you’re going to do is do a continuous backup or replication from a known good backup to bring all that data back. Now that’s great and it’s going to make sure everything is back. But have you gone back and figure out how they got into your database in the first place and corrected all those issues? Those are things we have to think about inside of recovery.

And as we take our recovery actions, another example might be if your system was taken down by a distributed denial of service attack. Now again, we’re going to recover very quickly by bringing those systems back online once the attack stops. But how do we make sure that we’re in a good position that we can’t get taken down again? We need to go through recovery actions and system hardening and make sure that we can have ways to protect ourselves from a future attack. Or maybe we had an employee who clicked on a phishing link and that installed some malware, some kind of virus on their system.

Well, once we clean that one system out, how are we going to make sure that doesn’t come back again and that that employee has learned their lesson? All of these are things that we have to do inside of recovery as part of our actions. Remember, the recovery steps taken for a particular incident are going to depend greatly on the nature of the incident. All three of these examples have different steps that we’re going to take because they’re different types of incidents and it’s important for you to remember that. You have to tailor your response to the particular incident that you’re dealing with.

• Category: Uncategorized