Recovery and Reconstitution

Updated Jan 30, 2024 ·

Overview

The recovery and reconstitution phase aims to restore the organization to its normal operations after an incident while ensuring that vulnerabilities are fixed to prevent future attacks.

Remove any effects of the incident and return to normal operating status.
Ensure all systems are protected against future attacks.

Rebuilding Compromised Systems

Reconstruct compromised systems to their pre-incident state.

Reinstall software and reconfigure settings.
Restore files and data from backups.

Malware Removal

Ensure all malicious software is removed.

Run antivirus and anti-malware tools.
Perform manual checks to verify system integrity.

Disabling Breached Accounts

Secure compromised accounts to prevent unauthorized access.

Lock affected user accounts.
Reset passwords and apply stronger authentication.

Data Restoration

Recover any lost or corrupted data.

Use backup files to restore missing data.
Verify the integrity of recovered files.

Vulnerability Remediation

Address the vulnerabilities that led to the incident.

Apply security patches.
Update firewall rules and other access controls.

Strengthening Access Control

Improve access to critical systems to prevent future breaches.

Implement multi-factor authentication.
Limit access to sensitive systems.

Intrusion Prevention Systems

Set up systems to detect and prevent future attacks.

Deploy intrusion prevention software.
Regularly monitor network traffic for anomalies.

Phased Approach

Take a gradual approach to long-term security improvements.

Start with critical fixes for immediate security.
Implement long-term solutions over time.

Overview​

Rebuilding Compromised Systems​

Malware Removal​

Disabling Breached Accounts​

Data Restoration​

Vulnerability Remediation​

Strengthening Access Control​

Intrusion Prevention Systems​

Phased Approach​