Incident eradication

10MB

Incident Response Stage 5: Eradication.pdf

pdf

Eradication

Deals with the actual cleaning, removing or re-imaging of systems

Documentation is key

Should work from documented and approved steps

• Don't lean into your own understanding!

Preventative methods can be improved here

Scanning of restored or re-imaged systems to ensure infections are gone

Main goal is to make sure theat is completely removed

Cleaning, wiping and restoration

Cleaing should be a defined process

Re-imaging may not be enough

• Bios rootkits, boot sector, etc.

Define whose role is responsible for "cleaning"

Use original disk images

Remember to patch back up to latest

Remember to check images

• Are they compromised as well?

Cloud considerations

You no longer have physical access

"Sanitize" will have a different meaning

"Eradicate" may have a different meaning

Re-imaging could be easier

Communicate with CSP during preparation phase