Eradication — Removing the Threat

Eradication is where you eliminate the attacker’s presence from your environment entirely. This phase requires thoroughness — if any foothold remains, the attacker can re-establish access and the incident starts over. Rushed eradication is one of the most common causes of incidents recurring within days or weeks.

Key Eradication Activities

• Malware removal: Identify and remove all malicious software from affected systems. This may require rebuilding systems from clean images rather than simply running antivirus scans.
• Backdoor identification: Sophisticated attackers install multiple persistence mechanisms. Check for new user accounts, scheduled tasks, modified startup scripts, and web shells.
• Credential reset: All credentials that may have been compromised must be changed, including service accounts, API keys, and certificates.
• Vulnerability remediation: The vulnerability or misconfiguration that allowed initial access must be fixed before systems are brought back online.

When to Rebuild vs Clean

A critical decision during eradication: do you clean the affected systems or rebuild them from scratch?

• Rebuild when: The compromise was deep (kernel-level access, firmware modification), you cannot be certain all backdoors have been found, or the system is critical and the risk of incomplete cleaning is unacceptable.
• Clean when: The compromise was limited and well-understood, the system cannot be easily rebuilt, and you have high confidence in the scope of the attacker’s access.

Action Steps

• Ensure your team has clean system images available for rapid rebuilds of critical servers and workstations.
• Include credential rotation procedures in your IR plan — not just user passwords but service accounts, API keys, and certificates.
• After eradication, monitor the environment intensively for signs of the attacker returning.