Chapter 6. Finish
âChange is the end result of all true learning.â
Leo Buscaglia
Once you have identified the threats that you are facing and investigated how those threats have accessed and moved through your network, it is time to remove the threats. This phase is known as Finish and involves not only eradicating the footholds that malicious actors have put in your network, but also working to remediate whatever enabled them to get access in the first place.
Finish involves more than removing malware from a system, which is why we spend so much time in the Find and Fix stages. To properly finish an attackerâs activity, it is critical to understand how that threat actor operates and to remove not just malware or artifacts left behind by an attack, but also communications channels, footholds, redundant access, and any other aspects of an attack that we uncovered in the Fix phase. Properly finishing an adversary requires a deep understanding of the attacker, their motives, and their actions, which will allow you to act with confidence as you secure the systems and regain control of your network.
Finishing Is Not Hacking Back
Finish does not mean hack back. That is because, unless you are a government department or agency with the proper authority, hacking back is a very, very bad idea! Why, you ask? There are several reasons:
- Attribution is rarely perfect, and you donât always know what you will end up hacking. Attackers will rarely attack you directly from their infrastructure. ...
Get Intelligence-Driven Incident Response now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.