Recovery in Incident Handling

Recovery in Incident Handling

Back to business, as usual, is the goal in the recovery phase of incident handling. Putting systems back into production in a safe manner is essential. Restore the order and verify that the operation of the system is successful and running normally. Ask system administrator for baseline documentation. Request test plans and after incident handlers have tested the system the business unit should be instructed to retest the system for validity.

When to put the system back in production is always a good question, but unfortunately, this decision will come from the business unit. Still, give your recommendation, and it's ideal to do this when you can monitor the system without heavy user usage.


Once the system is back online, continue to monitor the previously affected system for backdoors that may have escaped detection. Revert to the identification phase to identify old or new signs of an attack. Use an IPS system to your advantage and even add a custom rule that can be triggered as attackers like to use the same attack vector. Continue to check OS and application logs frequently.

Don't rush this step because just in case you missed something or was unaware of a potential hole in the system you are likely to contain and eradicate the threat before damage occurs.

Lessons Learned

If this has been helpful to you, please support this blog by buying a coffee