Eradication
Eradication: Technical Examples
1. Purpose of Eradication
Purpose: To completely remove the root cause of the incident, eliminate all traces of the adversary, and ensure that systems are free from malicious artifacts.
Why: Without thorough eradication, remnants of the attack (e.g., malware, backdoors, or compromised accounts) can allow attackers to regain access, rendering containment efforts ineffective.
2. Key Activities in Eradication
Below are the primary activities involved in the eradication stage, along with technical examples for each:
1. Malware Removal
Purpose: To identify and remove malicious software from compromised systems.
Why: Malware is often the primary tool used by attackers to maintain persistence or escalate privileges.
Technical Example:
Use antivirus or EDR tools to detect and remove malware:
Get-MDATPMachineAction -MachineId <MachineID> -ActionType "RunAntiVirusScan"Manually delete malicious files and terminate associated processes:
rm /path/to/malicious_file kill -9 <PID>
2. Rebuilding Systems
Purpose: To ensure that compromised systems are completely clean by rebuilding them from scratch.
Why: Rebuilding ensures that no hidden backdoors or residual artifacts remain on the system.
Technical Example:
Reimage a compromised server using automation tools like Packer or Ansible:
Example Ansible Playbook (
rebuild_server.yml):
3. Restoring from Backup
Purpose: To restore impacted systems to a known good state using backups.
Why: Backups provide a clean baseline to recover data and functionality without reintroducing malicious artifacts.
Technical Example:
Restore a database from a backup:
Verify the integrity of restored data:
4. Applying Additional Patches
Purpose: To address vulnerabilities that were not immediately patched during containment but may still pose a risk.
Why: Patching ensures that systems are protected against known exploits, reducing the likelihood of re-exploitation.
Technical Example:
Apply missing patches using package managers:
Use tools like WSUS or SCCM to deploy patches across Windows environments:
5. System Hardening
Purpose: To reduce the attack surface of systems and networks by implementing additional security measures.
Why: Hardening minimizes the risk of future incidents by addressing misconfigurations and enforcing best practices.
Technical Example:
Disable unnecessary services:
Configure host-based firewalls to block unnecessary traffic:
Enable Attack Surface Reduction (ASR) rules in Microsoft Defender:
3. Extending Containment Activities
Purpose: To reinforce containment measures by implementing additional safeguards during eradication.
Why: Strengthening defenses during eradication ensures that attackers cannot exploit remaining vulnerabilities.
Technical Example:
Update firewall rules to block newly identified malicious IPs:
Deploy intrusion detection/prevention systems (IDS/IPS) across the network:
4. Network-Wide Hardening
Purpose: To apply hardening measures across the entire network, not just impacted systems.
Why: Attackers often exploit weak points in the broader network, so network-wide hardening reduces the overall risk.
Technical Example:
Segment critical systems into isolated VLANs:
Enforce strong password policies across all systems:
Conclusion
Eradication is a critical step in ensuring that the root cause of an incident is fully addressed and that all traces of the adversary are removed. By removing malware, rebuilding or restoring systems, applying patches, and implementing system-hardening measures, organizations can eliminate the risk of re-exploitation.
Last updated