Restoring to a Normal State
After all the possible evidence has been gathered, it is time to remove the cause of the incident. If you are fortunate, you have discovered the cause and method of intrusion in the classifying of the incident stage. Ensure that you have gathered all the evidence that you require before cleaning up, because you are likely to destroy any and all evidence when restoring the system.
When restoring from backups, make sure that the backup you are restoring from is clean and does not reintroduce a threat to the system. You also must close the security exposure that led to the compromise. After the system is reinstalled and functioning, make sure to make a new backup before connecting the system to the network.
After the ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
