If your organization’s Incident Response Plan (IRP) is going as projected in the aftermath of a cyber incident, the attack has been identified and contained. Now it is time for phase 4, eradication.

Containment of the attack should keep it from spreading throughout the system. The goal of eradication is to completely remove threats from the affected network and allow for the next step of recovery.

As the National Institutes of Standards and Technology (NIST) stated in the Computer Security Incident Handling Guide , eradication and recovery are very closely linked. Eradication is the step required to delete malware, to disable any infected user account and to identify and mitigate exploited vulnerabilities, but there will be incidents where eradication is not necessary or will happen as part of the recovery phase.

However, when eradication is necessary, NIST said “it is important to identify all affected

hosts within the organization so that they can be remediated.”

Eradication is about confidence. The incident response team must be confident that their actions will completely eradicate the threat before the team can move on to the recovery phase. Any remnants left of the attack can continue to do stealth damage, which can not only force the incident response team to go back to phase 2 but could also result in serious reputational damage if more sensitive data is compromised.

To ensure full eradication, incident response teams want to look at two goals, eviction and mitigation. Eviction is wiping the system clean of the threat, with no trace of the threat actor to be found in the network or on devices. Mitigation fixes the vulnerabilities that were exploited, closing the doors for the threat actor to return.

The incident response team’s role in eradication is to provide detailed coordination and documentation throughout the process. For the IRP, the Cybersecurity and Infrastructure Security Agency (CISA) recommends putting together a list of best practices activities and a vulnerability response playbook to address the threat. These activities include:

• Remediating all infected areas of the network, including cloud and hybrid systems
• Rebuilding systems and hardware
• Replacing infected files with clean files
• Patching vulnerabilities
• Resetting passwords or creating new credentials if necessary
• Monitoring for any sign of the threat in the containment phase

“Threat actors often have multiple persistent backdoor accesses into systems and networks and can hop back into ‘clean’ areas if eradication is not well orchestrated and/or not stringent enough,” according to CISA’s Cybersecurity Incident and Vulnerability Response Playbooks. “Therefore, eradication plans should be well formulated and coordinated before execution.”

The post You Found the Cyber Attack, Now Get Rid of It appeared first on Fairdinkum.