Eradication in Incident Handling
With the bleeding stopped, the goal of the eradication phase is to rid the system of any artifacts created by the attacker. Determine the cause, symptoms, and how the attack executed. Use the information gathered during the identification and containment phases. These are important because many security professionals and system administrators take the shortcut of reinstalling the operating system and applications from scratch. While it is true that the malicious code can no longer run the same attack vector is still prevalent. Someone with network and forensic skills should take on this step in the process as there is no substitute for raw experience. In software engineering, there is a concept of pair programming in which a junior level engineer will work with a senior. This concept can be applied in security to give those with no experience the opportunity not only to learn but gain the skills needed if and when an experienced professional is not available.
Restoring from backup
If a recent or semi-recent backup is available, you have a chance to restore any lost data while minimizing the time required to configure and redeploy the system. When choosing a backup chose one before the system was compromised. When using a backup to restore the system be sure to apply any patches and fix all vulnerabilities that allowed the incident to happen in the first place. You don't want to be the hero, and then a few hours or even weeks later the same incident occurs.
Removing malware
If you are not able to restore the system from a backup your next option is to clean the system. Cleaning is not the most recommended a, but the business may not have another choice. Using antivirus software to rid malware can be very easy if the vendor has analyzed the malware. Removing viruses or other malware that do not have signatures may be an arduous task to complete. You'll need to monitor network traffic, services running, look for recent registry changes and files. If you encounter a rootkit you need to rebuild the system from scratch as the integrity of the operating system itself is lost. If you were successful in removing all malware make sure to verify all patches deployed to the system prevent the same attack from happening. I would like to reiterate that although this is a solution, encourage the business to rebuild the system from scratch.
Play Defense
Before going back into production implement additional protections to prevent future attacks on the system.
- Apply firewall rules
- Move the system
- Change the DNS
- Apply patches on similar systems and harden the system with behavior-based endpoint protection when possible
Analyze
Nessus and Rapid7 offer excellent penetration testing tools that can identify weaknesses in your systems. Identifying these weaknesses before an attacker gives you the opportunity to have security measures in place to prevent an attack. Other tools like NMAP can be used to determine open ports that were unaware to you.
Remember to check other systems because attackers often try and use the same exploit on multiple systems.
If this has been helpful to you, please support this blog by buying a coffee