Identifying the Full Scope of the Threat
Before the eradication process can begin, the incident response team (IRT) must fully understand the scope of the threat. This means identifying all affected systems, networks, and accounts to ensure that the eradication efforts address every point of compromise.
Key activities during the identification of the full scope include:
Systematic Analysis of Affected Systems: The IRT should conduct detailed analyses to identify all systems that have been compromised, including servers, workstations, network devices, and mobile devices. This often involves forensic analysis and deep scans of logs, network traffic, and file systems.
Compromised Accounts and Credentials: Attackers often exploit user accounts and credentials to escalate privileges or maintain access. Identifying compromised user accounts, especially those with administrative or elevated privileges, is a crucial step in understanding the full impact of the incident.
Mapping Attack Vectors: The team should understand how the attacker gained access to the network (e.g., phishing, vulnerability exploitation, or insider threats). This helps ensure that all entry points are accounted for during the eradication process.
Review of Indicators of Compromise (IOCs): IOCs are signs that a system has been compromised, such as unusual file activity, network traffic patterns, or the presence of specific malware signatures. These IOCs help identify affected systems and ensure that no remnants of the threat are left behind.