AuditRubric
rs-mi-2 critical Respond / Incident Mitigation

Incidents are eradicated

Containment stops the bleeding; eradication removes the infection. Eradication is the process of eliminating everything the attacker established in your environment: malware, persistence mechanisms, backdoors, compromised accounts, and any unauthorized configuration changes. Incomplete eradication is one of the most common causes of incident recurrence. Organizations that restore from backup and return to normal operations without verifying complete eradication often find themselves responding to the same incident weeks later.

Estimated effort: 6h
eradicationincident-responsemalware-removalpersistenceremediation

Implementation steps

  1. 1

    Identify and remove all attacker persistence mechanisms

    Before declaring eradication complete, systematically hunt for everything the attacker may have left behind: scheduled tasks, registry run keys, cron jobs, startup scripts, new local or domain accounts, SSH authorized keys, web shells on web servers, C2 beaconing processes, and any modified system binaries. Use your EDR's threat hunting capabilities and run IOCs from the incident against all systems in your environment, not just the initially compromised ones.

    crowdstrikesentinelonecarbon-blackvelociraptor
  2. 2

    Rebuild or restore affected systems to a known-good state

    For systems where complete verification of attacker removal is uncertain, rebuild rather than remediate: re-image from a known-good base image rather than attempting to remove malware from a potentially rootkitted system. Restore data from backups taken before the compromise window. This approach is more work but provides higher confidence in the resulting clean state. For cloud infrastructure, this is often faster than cleaning an existing instance.

    awsgcpazurecrowdstrike
  3. 3

    Close the initial access vector before restoring to production

    Before returning systems to production, close the vulnerability or configuration weakness that allowed the initial compromise: patch the exploited vulnerability, enforce MFA on the compromised account type, update the firewall rules that allowed the attacker's initial access, or invalidate all credentials that were exposed. Returning to production without closing the initial access vector invites immediate re-compromise.

    jiraconfluence

Evidence required

Eradication procedures and checklist

Documented procedures for systematically removing attacker presence from affected systems.

  • · Incident response runbook with eradication steps including persistence mechanism checks
  • · System rebuild procedure for compromised hosts
  • · Post-eradication verification checklist

Eradication completion records

Evidence that eradication was completed and verified before returning to normal operations.

  • · Incident ticket showing eradication steps completed with timestamps
  • · Post-incident review confirming root cause closed before recovery
  • · Rebuild or re-image records for affected systems

Related controls

rs-mi-1 critical

Incidents are contained

Incident Mitigation
rs-an-3 high

Forensics are performed

Incident Analysis
rs-ma-1 critical

Execute the incident response plan in coordination with relevant third parties

Incident Management
de-ae-4 high

The estimated impact and scope of adverse events are understood

Adverse Event Analysis