After an incident is contained, eradication might be necessary to eliminate sources of threat altogether to secure the system before you proceed to the next recovery stage. Eradication steps might include deleting malware and removing compromised user accounts, as well as identifying and mitigating all vulnerabilities that were exploited. During eradication, it's important to identify all affected accounts, resources, and instances within the environment so that they can be remediated.
It's a best practice that eradication and recovery is done in a phased approach so that remediation steps are prioritized. For large-scale incidents, recovery might take months. The intent of the early phases must be to increase the overall security with relatively quick (days to weeks) high value changes to prevent future incidents. The later phases must focus on longer-term changes (for example, infrastructure changes) and ongoing work to keep the enterprise as secure as possible.
For some incidents, eradication is either not necessary or is performed during recovery.
Consider the following:
-
Can the system be re-imaged and then hardened with patches or other countermeasures to prevent or reduce the risk of attacks?
-
Are all malware and other artifacts left behind by the attackers removed and the affected systems hardened against further attacks?
