Remediation
ANSSI publishes a set of guides on post-incident remediation. These guides lay out principles and guidelines for the management and implementation of a remediation scheme within an organisation affected by a cybersecurity incident.
The purpose of these guides is to highlight the challenges inherent to remediation, to provide its main doctrinal pillars, and to lay the foundations for the associated organisational and technical actions.
The financial and material damage that can result from a cyberattack is considerable. If a major incident is only partially or inadequately remedied, its effects can be long-lasting. This high potential for destabilisation requires both organisations and cybersecurity service providers to possess the know-how necessary to contain these cyberattacks, regain control of the compromised information system, and restore services to a sufficiently operational state. The remediation process endeavours to achieve this. It is one of the major aspects of cyber-incident response, along with investigation and crisis management.
ANSSI is working with the cybersecurity ecosystem to develop and disseminate the doctrinal pillars pertaining to the implementation and management of remediation. It publishes a corpus of doctrines, broken down into three sections (strategic, operational, and technical) and intended to be gradually expanded. The documents respectively detail :
- At the strategic level : the challenges which come with remediation for an organisation affected by a security incident
- At the operational level : the principles of remediation project management and implementation
- At the technical level : the technical documents to assist in achieving the adversary’s eviction from specific environments.
The goal of the strategic-level documents is to define the main concepts necessary to understand the role of decision makers in the remediation process:
The operational documents are intended for CISOs, internal IT services and remediation management teams. They will help the remediation teams break strategic objectives down into technical objectives. They provide operational tools allowing technical team managers to manage the remediation project and its participants.
The technical documents are intended for your operating teams. They detail the main subjects of implementation to consider during a remediation. These documents guide your organization through the technical actions to be carried out during a remediation, for specific technologies (Active Directory Tier 0, etc.).
Cyber Attacks and Remediation: Remediation of Active Directory Tier 0