In a previous post we discussed Incident Response (IR) processes and our preference is one that runs Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned (PICERL). In this post, we are going to be looking a bit more into the Eradication phase of IR.
If you’ve got this far, you have identified that an incident took place. Then you carried out an awesome investigation to understand what happened. Consequently, you were able to contain the attack. Now you need to get the attackers out. You need to eradicate them from your environment.
Containment is a short term solution. Now we are looking at a long-term solution. In other words, we want to get the attacker completely out. In addition, we want to keep them out in the future. It is important to remember that every incident is different. As a result of this, eradication measures can vary wildly. This is a good example of why it is critically important to investigate well. You can’t eradicate the attacker’s access if you dont know how they got it.
Sometimes you might manage this by simply deleting malware. In other incidents, you might need to completely rebuild the domain. Ultimately, you need to deal with the information you have and act decisively. Although speed of response matters, you must never, ever, be hasty.
Previously we’ve talked about how important planning is. This is another phase where that is true. You cant plan the specific steps to be taken, but you can give guidance. For example, you need to give guidance on:
- Confidence of Compromise. By this, it means how sure do you need to be that a specific device was compromised. Generally speaking, your investigators will never be 100% confident they have identified every compromised machine. You need to decide how to deal with “might” type statements. Often you will want to treat this as confirmed, but eradication can have a cost. For example, rebuilding takes time and resources. You can’t rebuild every time you find malware. As a result, you need a management decision in advance.
- Rebuild, reinstall or remove. This seems simple but it isn’t. First, there is a difference in business impact. For example, simply deleting a virus is a lot cheaper than rebuilding an entire server. Next, it hinges on your risk tolerance. In general, you want to make sure your managers know this balance in advance.
- Pace. Previously we’ve said about skipping containment. You cant skip eradication. If you do, you’ve ignored the incident. However, you do need to decide how fast you want to move. Remember the saying “More Haste, Less Speed.” It really does apply in IR. If doing it completely is slow, that is still better.
As you can imagine, this is an important phase. You cant skip it. Also, you cant rush it.
For these reasons, you need to build a methodological approach, then follow it.