How To Remediate A Breached Network

If a Qubes system was breached because of a vulnerable kernel module like netback/netfront running
on the sys-net and sys-firewall VMs, what steps should be taken to harden the Qubes system? Using
the mirage-firewall is one step, are there any other steps that can be taken to harden a Qubes system from
a malicious privileged kernel module or driver standpoint?