Incident Eradication and Recovery

Eradication is the phase of incident response where the root cause of an incident is completely removed from the environment. Recovery is the subsequent phase where systems are restored to normal operations. Both are part of the NIST SP 800-61 Incident Response Lifecycle, which includes Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Activity. The SY0-701 exam expects you to know specific eradication and recovery techniques and when to apply them.

Eradication begins after containment has stopped the incident from spreading. The goal is to eliminate all artifacts of the compromise. This includes: - Malware removal: Using antivirus, EDR tools, or manual removal. - Backdoor closure: Deleting unauthorized user accounts, removing SSH keys, or disabling rogue services. - Vulnerability remediation: Patching the exploited vulnerability (e.g., applying MS17-010 for EternalBlue). - Credential revocation: Resetting passwords for all affected accounts and invalidating session tokens. - System reimaging: In many cases, the most reliable eradication method is to wipe the system and reinstall the OS from a known-good image.

A common mistake is skipping eradication and moving directly to recovery. For example, if an attacker left a scheduled task that re-infects the system, simply restoring from backup without removing that task will lead to reinfection.

Attackers often use multiple persistence mechanisms. For example, a common technique is to install a backdoor as a Windows service (T1543.003) and also add a registry Run key (T1547.001). If the incident responder only removes the service but misses the registry key, the attacker can regain access. Another example: after a ransomware attack, attackers may leave behind a scheduled task that re-encrypts files if the ransom is not paid. Eradication must identify and remove all such mechanisms.

- Windows: - sc delete <service_name> to remove a malicious service. - reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v MaliciousKey /f to remove a registry run key. - schtasks /delete /tn "TaskName" /f to delete a scheduled task. - Linux: - systemctl disable <service> and rm /etc/systemd/system/<service>.service. - crontab -e to remove cron jobs. - kill -9 <PID> and rm -rf /path/to/malware. - Network: Remove malicious firewall rules using iptables -D or via the firewall management console.

Recovery involves restoring data from clean backups, verifying system integrity, and monitoring for signs of residual compromise. Key steps: - Restore from backup: Use offline or immutable backups to avoid restoring compromised data. - Patch and harden: Apply security patches and configuration changes to prevent recurrence. - Test functionality: Ensure the system operates correctly before returning to production. - Monitor: Increase logging and alerting for the affected systems for a period after recovery.

After eradication and recovery, conduct a lessons-learned meeting. Update incident response plans, improve detection capabilities, and consider implementing additional controls like application whitelisting or network segmentation.

The SY0-701 exam will test your ability to sequence the phases correctly and choose the right eradication or recovery action for a given scenario. For example, you may be asked: 'After containing a malware outbreak on a server, what is the next step?' The correct answer is eradication, not recovery. Another common question: 'Which of the following is the best way to ensure complete removal of malware from a system?' The answer is to reimage the system from a known-good backup.

Scenario 1: Ransomware Attack on a Hospital

A hospital's file server is encrypted by Ryuk ransomware. After containment (isolating the server via network segmentation), the incident response team proceeds to eradication. They use EDR logs to identify all systems that communicated with the ransomware C2 server. They find that the attacker used a compromised domain admin account. The team resets the KRBTGT password twice and revokes all domain admin credentials. They then reimage the file server from a snapshot taken two weeks prior (verified clean). They apply the latest Windows patches and enable LSA protection. After recovery, they monitor for 72 hours for any signs of reinfection. A common mistake would be to simply restore the server without resetting the domain admin credentials, which would allow the attacker to re-encrypt the server.

Scenario 2: Web Application Breach via SQL Injection

A retail company's e-commerce database is exfiltrated via SQL injection. The incident response team contains the web server by taking it offline. During eradication, they remove the malicious PHP webshell left by the attacker, patch the SQL injection vulnerability in the login form, and reset all database user passwords. They also delete any unauthorized SSH keys added to the server. They then restore the database from a clean backup. After recovery, they deploy a WAF rule to block SQL injection patterns. A common mistake is to patch the vulnerability but not remove the webshell, allowing the attacker to regain access through the backdoor.

Scenario 3: Insider Threat - Data Exfiltration via USB

An employee exfiltrates sensitive data using a USB drive. The incident response team contains the user's workstation and revokes network access. Eradication involves removing any malware the employee may have installed (e.g., a keylogger), disabling the USB port via Group Policy, and resetting the employee's credentials. They then recover the workstation by restoring from a clean image. The team also implements DLP controls to prevent future USB exfiltration. A common mistake is to only disable the USB port without checking for other persistence mechanisms the insider may have used.