Incident Response Part 3.2: Eradication |EN
In this part of our series, we will ensure that the system(s) or Network(s) affected by the attack after the Containment phase are destroyed after making the necessary evidence and investigations. However, the Eradication step should not be a primary and quick decision option. Let’s examine the reasons for this warning and the operation process together.
The first step should be to ensure that the Containment is completed and maintained correctly. We must review all outputs collected during the process and ensure that Containment is not violated. We should also examine the types of breaches and causes of the affected systems. In my opinion, at this stage, the Leason Learned meeting, where we evaluate the whole process, can be done within the team. Then let’s examine all the collected outputs with the team and prepare a road plan because there will be no return from Eradication! And the wrong decisions made in Eradication will prolong your recovery process and disrupt your operational continuity.
For this reason, it will be beneficial to apply the following steps before eradication;
- Case study and Lesson Learned can be done by coming together with the team or the WarRoom team created during the Incident. In this way, the situations that were not mentioned but thought to have been made wrong in the process can be easily expressed by the team. This short break can be a good opportunity, as the tense atmosphere during the Incident investigation will prevent everyone from freely expressing their opinion.
- Now that the Incident has been concluded, you will have three options in front of you. These are; Destruction of inventory in the virtualization environment, Destruction of OS on the physical environment Destruction of Disks against the persistent threat to the physical environment.
- You should also ensure that complete backups of the pre-Eradication environment or system evidence are taken and maintained.
Start the Eradication
Steps that need to be additionally checked and improved during our operations:
• Configuration of router & firewall rules.
• Null routing, Airgap, and Vlan Segmentation
In eliminating the remnants of the attackers:
- Removal of backdoors, rootkits, malicious kernel-mode drivers, etc.
- Rebuild the system for reliable installation media by resetting and reformatting the drive in the rootkit case.
- Extensive analysis of logs to identify credential reuse via SSH, RDP, VNC, etc.
However, if the machine remains as it is, it is necessary to take it into long-term containment and monitor it. These monitoring steps are;
- Providing vulnerabilities and patch checks on the machine
- Honeypot agent installation
- HIDS agent installation
- Changing authorizations and passwords
- It increases the detection capability via EDR / EPP / XDR (Very Aggressive), arranging the prevention activities in a way that does not affect business continuity.
- Development of HIDS alarms
- Alerting DLP tracking in SIEM and making CIS-based Hardenings
The points to be considered in the possible destruction and rebuilding of physical environments are;
- Rebuild the system for reliable installation media by resetting and reformatting the drive in the rootkit case. In most cases, deletion removes the index or catalog link to the data, and actual data remains on the drive. When new files are written to the media, the system eventually overwrites the deleted data. Still, data may not be overwritten for months, depending on how much free space the drive has and a few other factors. Cleaning or overwriting is preparing media for reuse and ensuring that cleaned data cannot be recovered using conventional recovery tools. When the media is cleared, unclassified data is written to all addressable locations on the media.
- It creates a strong magnetic field that erases data in some media in degaussing. Degaussing does not affect optical CDs, DVDs, or SSDs.
- Destruction is the step of destroying the disk; disposal methods include incineration, crushing, shredding, shredding, and dissolving using caustic or acidic chemicals.
And so we come to the end of this part. Thank you so much for reading and your excellent feedback. See you…