Return to normal operations
When all exfiltration has ceased with no evidence of continued activity, the organization can return to normal operations—however, some work remains. This includes software patching, re-imaging and manual cleanup activities. Out-of-date code often has dangerous vulnerabilities, so organizations should install all updates so applications are running on the latest version. Manual steps include cleaning up accounts by matching account identities with permissions and enforcing password change and reuse policies.