Contents:
What is eradication in cybersecurity? Eradication represents the implementation of a more permanent fix, after the containment phase. It is essential because one of the main goals of the incident response teams should be to eliminate the access points the malicious actors used to attack your network.
The eradication phase includes patching and system and app application reconfiguration. All the actions unfolded during this phase should be thoroughly documented.
On Security Incidents and Incident Response Plans
Cybersecurity incidents can be understood in two main ways:
Often cybersecurity incidents are associated with malicious attacks or Advanced Persistent Threats (APTs), but there appears to be no clear agreement. […] The original government definition of cybersecurity incidents as being state-sponsored attacks on critical national infrastructure or defence capabilities is still valid. However, industry – fuelled by the media – has adopted the term wholesale and the term cybersecurity incident is often used to describe traditional information (or IT) security incidents. […]. The two most common (and somewhat polarised) sets of understanding – as shown in Figure 2 below – are either that cybersecurity incidents are no different from traditional information (or IT) security incidents – or that they are solely cybersecurity attacks.
Disregarding which definition we choose, both basic and advanced attacks will make use of similar attack vectors – malware, social engineering, hacking. They only differ in scale, sophistication and resourcing.
Depending on how elaborate and severe a cyberattack is, your business can face the following consequences:
- financial loss, due to theft of money, corporate information, trading disruption, loss of contracts/clients. We must not forget to mention the possible repairing that the affected systems, networks and devices might require.
- reputational damage. Losing your clients’, partners’ and investors’ trust can lead to a serious reduction in profits, which translates again into financial loss.
- legal actions. It is highly important to protect the data of your employees, clients and providers, especially in these times of GDPR and other similar regulations. If this data has been somehow compromised, you can expect fines and regulatory sanctions, maybe even civil lawsuits.
An incident response plan is a “documented, written plan with 6 distinct phases that help IT professionals and staff recognize and deal with a cybersecurity incident like a data breach or cyber attack.”
The other phases of an incident response plan are preparation, identification, containment, recovery, lessons learned.
You can read more about them in one of my previous articles, Incident Response – Everything You Need to Know.
Incident Response Eradication Agenda
In order to be efficient, the incident response eradication phase needs to attend the following aspects:
Have you discovered the point of entry?
Preventing re-infection or the exact same issue from happening again is one of the most critical factors while trying to resolve a security incident.
If you’re not sure what went wrong, undertake more internal log analysis or hire a third-party to assist you in developing a plan to prevent it from happening once more.
How can you resolve the issue and ensure that the threat is no longer present?
To only mention a few, you must consider lateral movement, dropped payloads, operating processes, and established persistence. These other aspects of cyberattack are frequently obfuscated and thus invisible to classic signature-based antivirus programs.
Having solid backups and the ability to determine the initial date/time of infection, as well as the option to roll back to shortly before that, is essential. If you don’t have backups, it’s even more critical to determine the initial point of infection and any indicators of compromise.
Following the removal/recovery procedure, improve monitoring on affected systems, and don’t forget to change the passwords on any accounts that have been compromised or could be compromised.
What other stages of hardening, patching, and/or configuring are required?
You should consider and document any further security hardening that has to be done to the systems that were affected. Patching is mandatory to avoid compromising other systems on the network. Remember to keep track of everything you do – it will be useful for the following stages of the incident response plan.
Is it possible for you to monitor the system for any signs of a potential breach?
You need to establish how you’ll increase the monitoring of the affected systems for at least 30 days after the infection, regardless of how you eradicate it. This is necessary to ensure that the procedures you took to resolve the problem were successful and that no lasting effects (rootkits, backdoors, or new compromised accounts) are discovered.
Recommendations
Apart from having a proper incident response plan in place in case you become a victim of a cyber attack and a data breach occurs, we also always recommend paying attention to prevention. You can do this by adopting a defense in depth strategy.
As my colleague Alina Petcu mentioned in one of her articles, “Defense in depth (DiD) is a cybersecurity concept in which a series of security protocols and controls are layered throughout an IT network to preserve its integrity and privacy. The purpose of defense in depth cybersecurity is to protect against a wide variety of threats while integrating redundancy in the case of one system failing or becoming vulnerable to exploits.”
Heimdal™ Security can help you implement a great defense in depth strategy, due to the nature of our products suite:
- threat prevention through DNS, HTTP and HTTPS filtering
- vulnerability management with a flexible patch and deployment solution
- endpoint detection and response with a next-gen antivirus
- privilege access management and application control
- email protection and fraud prevention
A nice advantage for you is the fact that we offer all these solutions in a single, unified agent, which allows you to have all the information about your company’s cybersecurity in one place, just one click away.
Wrapping Up
Eradication probably represents the most important part of an incident response plan, because it eliminates the root cause of an attack and should ensure the removal of all malware from the attacker – which is critical for an efficient recovery.
Drop a line below if you have any comments, questions or suggestions about what is eradication in cybersecurity – we are all ears and can’t wait to hear your opinion!
P.S. Did you enjoy this article? Follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram to keep up to date with everything we post!