Planning and coordination of intrusion remediation activities are conducted on a separate system to that which has been compromised.
Topic
Handling and containing intrusions
Applicable to
all
History
Dec 2021
Planning and coordination of intrusion remediation activities are conducted on a separate system to that which has been compromised.
To increase the likelihood of intrusion remediation activities successfully removing an adversary from their system, organisations can take preventative measures to ensure the adversary has limited forewarning and awareness of planned intrusion remediation activities. Specifically, using an alternative system to plan and coordinate intrusion remediation activities will prevent alerting the adversary if they have already compromised email, messaging or collaboration services. In addition, conducting intrusion remediation activities in a coordinated manner during the same planned outage will prevent forewarning the adversary, thereby depriving them of sufficient time to establish alternative access points or persistence methods on the system.