This page aims at providing general guidelines on how to recover after a security incident, and mentions various References providing additional useful information.
Prerequisites
Recovery steps
The recovery plan should follow multiple steps:
- Patch the compromised system, remove malicious software, identify the attacker's entry point to the server, and remove the security gap. The safest is to reinstall the system entirely. When installing a server, take into account the Server management guidelines.
- Update hardware firmware and BIOS if there are newer versions available, especially if they include security patches.
- Configure servers and services using automatic configuration management, as it serves at the same time as documentation for your services, enables fast recovery after the incident and decreases the possibility of configuration mistakes and inconsistencies.
- Reset user accounts and revoke the certificates configured/used on the compromised system.
- Restore the data from the backup.
- Verify perimeter security (firewall rules, ACLs etc.)
- Configure remote logging for each server.
- After that, reconnect the rebuilt system to the network.
- Test services and security controls.
- Restore the system to its normal operations.
- Monitor the system for abnormal behaviour and for any suspicious activity.
Additional points
- In case an important part of, or a full infrastructure got compromised:
- Start by putting in place a trustable core for the information system (i.e. like the central services supporting the management of the infrastructure (LDAP, Active Directory, IAM infrastructure, deployment services,...))
- Build on and expanding to other services, relying on this core information system, recovering services from a trusted backup, or re-installing from scratch
- Take appropriate measures to prevent the same attack from happening again
- Update technical and organisation measures
- Update documentation
- Provide additional training and raise awareness
- Update monitoring
References