Incident Recovery and Reconstitution – CompTIA Security+ SY0-401: 2.5


When the security event has concluded, it’s time to rebuild any damaged sections of the network. In this video, you’ll learn some strategies for getting back up and running as quickly as possible.

<< Previous Video: Incident ReportingNext: First Responder >>


Once a security incident has occurred we obviously want to get things back to normal as quickly as possible. We want to get rid of anything that might be bad inside of our environment. Of course, keep everything that might be good. But of course this is much easier said than done.

If you have been infected with malware for instance we want to eradicate that bug. You want perhaps remove the malware, get rid of any user accounts that may have been breached, and fix any vulnerabilities inside of the system that caused that malware to infect the system to begin with. It may not be as easy though as simply deleting the malware from your computer. Modern malware is very good at embedding itself inside of your computer, and you may never really ever be 100% sure that you’ve eradicated every piece of that malware. In those cases you may want to recover the entire system, perhaps, recover everything from backups that you have so that the system is back to a known good state. You may not have backups in those particular cases, you may be rebuilding the entire system from scratch. In any case, you may want to be sure that you simply replace any files that you may suspect have been compromised. And then of course, you want to tighten down the perimeter so that you can be assured that the malware won’t make it self back into your computer later.

In these larger attacks it may not be as simple as recovering a single computer and being back up and running. The reconstitution may be much broader and may involve many, many different systems. So you may require a phased approach to get everything back and running at 100%. Sometimes the phased approach to be over a weekend, sometimes over a month, and in some cases it may take a number of months to finally get back to an original state. These attacks when they occur can be very invasive. They get inside of your environment, and they embed themselves on as many systems as possible. So it may take some time to inventory everything in your environment and understand exactly what systems were affected by this attack.

To make the plan as efficient, as possible, you should consider breaking things up into small pieces. And you can start working on the easy quick things first and leave the much longer implementations for afterwards. So if you can hit those very high value and important resources, and resolve those very quickly, like patching systems and changing firewalls, you can then concentrate on the more long term fixes, like changing pieces of your infrastructure to make it more secure. Or doing very large scale security rollouts of new firewalls and new intrusion prevention systems. The goal is to make this process as efficient as possible, and if you have to reconstitute a very large part of your network you may want to consider using this particular methodology.