Recover from Network Intrusions

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe how to recover from a network intrusion.
  • Explain the criteria necessary to return to normal operations.

Recover from a Network Intrusion

When someone falls and hurts themselves, they go to the doctor to begin their road to recovery. The doctor assesses the damage through an exam and maybe even an X-ray. If the patient broke the bone, the doctor may place the injured area of the body in a cast to immobilize it and promote healing. As the patient progresses, the doctor may remove the cast and recommend physical therapy to help restore and strengthen the muscles. Finally, when the injury heals and the wounded area becomes stronger, the doctor clears the patient to resume normal physical activity like jogging or biking.

Just as a doctor helps a patient identify, treat, and recover from an injury, security professionals help identify and detect threats, contain and eradicate them, and strengthen systems against future intrusion. Network security engineers also have a role to play in helping the business recover from an incident and return to normal operations. 

In the first frame, a man recovers from a broken leg in a cast and on crutches; in the second frame, he strengthens his leg with physical therapy; and in the third frame, he walks without a cast or crutches and with a smile on his face.

Organizations use a business continuity plan to help recover from an incident or from a natural disaster. It provides guidance to restore affected systems and devices so they can return to normal operating activities. 

The plan prioritizes these systems and lists recovery time and point objectives that detail when and how they should be restored. Organizations document a recovery time objective (RTO) to understand how quickly they need to recover IT infrastructure and services to maintain business continuity. Organizations use a recovery point objective (RPO) to measure the maximum tolerable amount of data to lose. When recovering from an incident, a network security engineer starts with business-critical systems and help replace compromised data with a clean backup. They may need to perform system and network validation and testing to ensure the systems are functioning as expected. 

Following an incident, it’s important to hold an after-action meeting to discuss lessons learned. This process can be used to help strengthen policies, processes, and controls against future threats. A network security engineer may need to provide recommendations on how to make the network more resilient in the future. The organization may also need to update training to harden the workforce and provide awareness on any new procedures or tools. 

Implement Successful Recovery Criteria

When recovering systems to restore the network to business as usual, it’s important to agree upon the criteria the business uses to define success. The network security engineer should confirm when the system can be returned to production, taking into consideration that remediation must be confirmed to be successful. The system should be functioning normally and it should have been patched and hardened against future threats. 

Other considerations include:

  • Deciding whether the system needs to be restored from a trusted backup, whether data has been destroyed or altered, and if so, which backup should be used.
  • Recommending additional monitoring to put in place, as well as a timeline of how long that additional monitoring should be used.
  • Identifying additional tools to ensure similar attacks don’t recur.
  • Providing stakeholders with a brief summary of what took place so they understand the remediation steps that were taken and the current state of the recovered system.

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the function in the left column to the matching category on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Sum It Up

In this trail, you’ve covered the nuts and bolts of what a network security engineer’s job may entail. You’ve reviewed how a network security engineer can leverage a security framework to identify the assets, users, and topology of the network and protect them using a variety of tools, including network segmentation and compensating controls. You’ve also explored how to detect intrusions when they occur and the steps a network security engineer should be aware of when responding to and recovering from an incident. Now you should have a good sense of the skills a network security engineer possesses and be familiar with a day in the life of a security engineer. 

Interested in exploring more cybersecurity-related information? Check out the Cybersecurity Learning Hub on Trailhead.