Analyse Network Traffic Post-Intrusion Remediation
Capture and analyse network traffic for a week to ensure hackers are removed after an intrusion.
Plain language
After a hacker breaks into your computer network and you believe you've removed them, this control is about double-checking that they are truly gone. By looking at everything happening on the network for a week, you can spot if the intruders are still lurking and prevent further damage or data theft.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
Following intrusion remediation activities, full network traffic is captured for at least seven days and analysed to determine whether malicious actors have been successfully removed from the system.
Why it matters
If post-remediation traffic isn’t fully captured and analysed for 7 days, attacker persistence or reinfection may go unnoticed, leading to further compromise.
Operational notes
After remediation, enable full packet/flow capture for at least 7 days, retain logs, and review for C2, beaconing, and repeat IOCs to confirm eradication.
Implementation tips
- IT Team should set up network monitoring: After an intrusion, the IT team should install tools to capture all network activity for at least seven days. They can use network monitoring software that logs data about what information is going where and who is accessing it.
- Network Administrator should review daily reports: The network administrator should review the captured network data every day. They need to look for anything unusual or unexpected, such as unknown devices accessing the network or abnormal data transfers.
- System Owner should coordinate with a security expert: The system owner should arrange for a cybersecurity expert to help interpret the network data. This expert can provide insights into whether the captured data shows signs of lingering intruders.
- Security Manager should report findings: The security manager needs to compile a report of the entire week’s findings. This should be shared with senior management to update them on the network's status and any identified threats.
- Organisation Leadership should review the security posture: After reviewing the report, organisation leaders should meet with IT to discuss improvements. This includes adjusting security policies or investing in better tools based on findings from the network traffic analysis.
Audit / evidence tips
-
Askthe weekly network traffic report: Request to see the documented analysis carried out for the seven days after remediation
GoodA comprehensive report showing consistent review and notes on activities that required further investigation
-
Asknetwork monitoring tool settings: Request to see how the network monitoring tools were configured for capturing the data
GoodTools set to high sensitivity capturing all inbound and outbound traffic data
-
Askexpert consultation records: Inquire about any consultation notes or communications with cybersecurity experts who assisted in analysing the data
GoodDetailed advice from an expert that resulted in clear actions or confirmation of no further intrusions
-
Askthe incident remediation report: Request the document summarising actions taken to address the intrusion
GoodA report showing a timeline of the intrusion, remediation steps, and how network traffic analysis was used to verify success
-
Askminutes of leadership review meetings: Request the meeting notes where findings of the network analysis were reviewed
GoodDocumented decisions on further security investments or policy changes to strengthen network defenses
Cross-framework mappings
How ISM-1213 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | ISM-1213 mandates the capture and analysis of full network traffic for seven days post-intrusion remediation for validation | |
| Annex A 8.16 | ISM-1213 requires a specific post-intrusion activity: capturing full network traffic for at least seven days to confirm removal of an att... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.26 | ISM-1213 describes a specific post-remediation activity involving seven days of network traffic capture for threat eradication validation | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.