[TheHappyOddish]

The "start from scratch" (or as we used to call it, 'nuke from orbit') approach is the only feasible one.

If an attacker had full root across the org for an undetermined (but not short) period, I'm unsure what other approach you think you could take? You can't just run MalwareBytes and call it a day.

[insanitybit]

Step 1 is to review your existing telemetry. You determine the possible scope of the attack based on the evidence you find. You remediate based on that. You may also want to consider scope that you don't have evidence for but that you lack telemetry for and that you believe an attacker could have accessed - that's fine too.

This comes down to a risk assessment. No company has a breach and just shuts everything down, that is insane. When we perform IR we build a detailed timeline, we collect the scope of potential access, and we form a remediation plan. We don't just go "well hey, anything can happen right? shut it all down".

[nullindividual]

Nuke it from orbit applies to a workstation, not an enterprise environment.

[froggit]

Nukes can be applied to all kinds of shit. It's easy enough to understand the implication of the phrase that there's no need to pretend it can only apply to specific items.