top of page
Jan 61 min read

Incident Response Framework Eradication Phase

In the realm of cybersecurity incidents, eradication strategy, hold paramount importance in mitigating the aftermath of a breach.


Eradication: Removing the Cause

  • Complete Removal: Eradication involves the comprehensive removal and destruction of the cause of the incident, aiming to eliminate any remnants of compromise.

  • Simplified Eradication: A common method to eradicate a contaminated system is by replacing it with a clean image sourced from a trusted repository.


Sanitization: Ensuring Data Disposal

  • Cryptographic Erase (CE): A method employed in self-encrypting drives to erase the media encryption key, ensuring sanitization.

  • Zero-Fill Technique: This method overwrites all bits on magnetic media to zero, though it's not suitable for SSDs or hybrid drives.

  • Secure Erase (SE): Sanitizing solid-state devices using manufacturer-provided software, a secure method for SSDs.

  • Secure Disposal: Utilizes physical destruction (e.g., mechanical shredding, incineration, or degaussing) for top-secret or highly confidential information.


Eradication Actions

  • Reconstruction: Restoring a sanitized system using scripted installation routines and templates.

  • Reimaging: Restoration via image-based backup for systems that have undergone sanitization.

  • Reconstitution: Restoring systems that can't be sanitized through manual removal, reinstallation, and monitoring processes.


Seven Steps for Reconstitution:

-- Analyze processes and network activity for signs of malware

-- Terminate suspicious processes and securely delete them from the system

-- Identify and disable autostart locations to prevent processes from executing

-- Replace contaminated processes with clean versions from trusted media

-- Reboot the system and analyze for signs of continued malware infection

-- If continued malware infection, analyze firmware and USB devices for infection

-- If tests are negative, reintroduce the system to the production environment


Incident response's success heavily relies on effective eradication, thorough sanitization. Swift and strategic implementation of these measures significantly reduces the impact of security breaches, fortifying an organization's resilience against cyber threats.


Akash Patel

25 views0 comments

Comments

bottom of page