“Change is the end result of all true learning.”
Once you have identified the threats that you are facing and investigated how those threats have accessed and moved through your network, it is time to remove the threats. This phase is known as Finish and involves not only eradicating the footholds that malicious actors have put in your network, but also working to remediate whatever enabled them to get access in the first place.
Finish involves more than removing malware from a system, which is why we spend so much time in the Find and Fix stages. To properly finish an attacker’s activity, it is critical to understand how that threat actor operates and to remove not just malware or artifacts left behind by an attack, but also communications channels, footholds, redundant access, and any other aspects of an attack that we uncovered in the Fix phase. Properly finishing an adversary requires a deep understanding of the attacker, their motives, and their actions, which will allow you to act with confidence as you secure the systems and regain control of your network.
Finish does not mean hack back. That is because, unless you are a government department or agency with the proper authority, hacking back is a very, very bad idea! Why, you ask? There are several reasons: