Incident Response Part 3.2: Eradication |EN

Source: Hurt Locker Movie

In this part of our series, we will ensure that the system(s) or Network(s) affected by the attack after the Containment phase are destroyed after making the necessary evidence and investigations. However, the Eradication step should not be a primary and quick decision option. Let’s examine the reasons for this warning and the operation process together.

Before Eradication

The first step should be to ensure that the Containment is completed and maintained correctly. We must review all outputs collected during the process and ensure that Containment is not violated. We should also examine the types of breaches and causes of the affected systems. In my opinion, at this stage, the Leason Learned meeting, where we evaluate the whole process, can be done within the team. Then let’s examine all the collected outputs with the team and prepare a road plan because there will be no return from Eradication! And the wrong decisions made in Eradication will prolong your recovery process and disrupt your operational continuity.

For this reason, it will be beneficial to apply the following steps before eradication;

  • Case study and Lesson Learned can be done by coming together with the team or the WarRoom team created during the Incident. In this way, the situations that were not mentioned but thought to have been made wrong in the process can be easily expressed by the team. This short break can be a good opportunity, as the tense atmosphere during the Incident investigation will prevent everyone from freely expressing their opinion.
  • Now that the Incident has been concluded, you will have three options in front of you. These are; Destruction of inventory in the virtualization environment, Destruction of OS on the physical environment Destruction of Disks against the persistent threat to the physical environment.
  • You should also ensure that complete backups of the pre-Eradication environment or system evidence are taken and maintained.

Start the Eradication

Source: Hurt Locker Movie

Steps that need to be additionally checked and improved during our operations:
• Configuration of router & firewall rules.
• Null routing, Airgap, and Vlan Segmentation

In eliminating the remnants of the attackers:

  • Removal of backdoors, rootkits, malicious kernel-mode drivers, etc.
  • Rebuild the system for reliable installation media by resetting and reformatting the drive in the rootkit case.
  • Extensive analysis of logs to identify credential reuse via SSH, RDP, VNC, etc.

However, if the machine remains as it is, it is necessary to take it into long-term containment and monitor it. These monitoring steps are;

  • Providing vulnerabilities and patch checks on the machine
  • Honeypot agent installation
  • HIDS agent installation
  • Changing authorizations and passwords
  • It increases the detection capability via EDR / EPP / XDR (Very Aggressive), arranging the prevention activities in a way that does not affect business continuity.
  • Development of HIDS alarms
  • Alerting DLP tracking in SIEM and making CIS-based Hardenings
Source: Hurt Locker Movie

The points to be considered in the possible destruction and rebuilding of physical environments are;

  • Rebuild the system for reliable installation media by resetting and reformatting the drive in the rootkit case. In most cases, deletion removes the index or catalog link to the data, and actual data remains on the drive. When new files are written to the media, the system eventually overwrites the deleted data. Still, data may not be overwritten for months, depending on how much free space the drive has and a few other factors. Cleaning or overwriting is preparing media for reuse and ensuring that cleaned data cannot be recovered using conventional recovery tools. When the media is cleared, unclassified data is written to all addressable locations on the media.
  • It creates a strong magnetic field that erases data in some media in degaussing. Degaussing does not affect optical CDs, DVDs, or SSDs.
  • Destruction is the step of destroying the disk; disposal methods include incineration, crushing, shredding, shredding, and dissolving using caustic or acidic chemicals.

And so we come to the end of this part. Thank you so much for reading and your excellent feedback. See you…




SOC Team Lead | Purple Team Member

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

𝕿𝖍𝖊 𝕿𝖍𝖊𝖔𝖗𝖞 𝖔𝖋 𝕯𝖎𝖌𝖎𝖙𝖆𝖑 𝕲𝖆𝖙𝖊𝖘

$KABY IGO on GameFi — Pools and Schedule

Your Centralized Exchange does not have $SCRT listed or withdrawals are suspended? No worries!

{UPDATE} Off -Road Tuk Tuk Auto Rickshaw Food Truck Hack Free Resources Generator

Black Friday 2018: Best VPN deals for business security

Launching a community-driven insider threat knowledge base

How to Implement Secure, Remote Access to an Industrial Automation System

Spherium | Smart Contract Audit Report | 2021 | QuillAudits

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alican Kiraz

Alican Kiraz

SOC Team Lead | Purple Team Member

More from Medium

Detecting Active Directory Kerberos Attacks

Incident Response Part 1: Preparation | EN

Red Team Tools 2(FireEye Breach) LetsDefend DFIR Challenge

Splunk Enterprise — Dashboards