… is quicker than reimaging impacted ones.
In most situations, reimaging impacted systems is faster than purchasing new ones. Generally, when you buy a new device, you still have to configure it to work in your environment. In those instances, reimaging achieves the same purpose as buying new. Therefore, it may be quicker and more cost-effective to reimage impacted machines.
… is necessary because we cannot tamper with the forensic investigation.
Reimaging or wiping a computer will indeed erase all its forensic data. While it’s essential to understand what happened, there are ways to reimage systems and get them operational while preserving the integrity of the forensic data. Rather than purchasing new hardware to replace impacted ones, you could do one of two things:
- Replace the hard drive of the impacted systems and preserve the impacted drive for the forensic investigators.
- Make a forensic image copy of the impacted system to an external hard drive for the forensic investigators.
Either option guarantees the forensic provider will have the proper data they need to investigate while allowing you to recover your environment quicker. These options should always be discussed with legal counsel to ensure compliance with any legal/ regulatory obligations.
… is necessary because our systems are bricked.
When systems are “bricked”, it is considered that they can no longer be recovered by any means whatsoever. However, in most cyber incidents, systems rarely get bricked due to a cyberattack. Before investing time and money in a new system, it’s recommended to check the following:
- Try a different power cable/source.
- Swap out the hard drive and reinstall a new operating system.
- Reinstall the computer’s firmware.
Performing these activities can help determine if your systems are bricked. Often, the operating system is the culprit, which results in systems being unable to be turned on, making it seem that they are bricked.
… is essential because I can no longer trust and connect them to my network.
Dealing with a cyber incident is not a pleasant experience. However, when faced with one, the forensic providers involved can provide evidence of what happened in the incident, ideally providing technical details on:
- How did the threat actors gain access to the environment?
- What was the extent of the threat actor's malicious activity?
- Was there any Data exfiltrated from the environment?
Forensic investigators can provide recommendations to build a more resilient and secure environment by answering these questions on the incident and assessing the impact. In most cases, these reimaged systems can be placed back into the environment. Proper endpoint monitoring capabilities will also guarantee that these systems have additional protection and that it’s safe to introduce them back into your environment.