13.6 Eradication

Once the evidence has been secured, the process of eradication can begin. In some cases, where the entire affected system is being used as evidence, eradication can also mean replacement.

The most pressing issue concerning eradication is that a system that has been compromised in any manner can no longer be trusted. While the incident response team may be confident that it has found the cause of the incident, it is difficult to establish that nothing else has been modified. Thus, the most common method of eradication is either restoring the affected system from a known good backup, or restoring the system from the original media and restoring saved data from known, good backups.

Restoring a system can be time-consuming and troublesome in its own right. Once again, having an incident response plan in place prior to the incident can make this process much easier. During the prevention phase, a common step in prevention is to create a cryptographic hash of all files and executables on a given system. When done during the installation of a system, incident response teams can ascertain with some certainty what has been affected on a system. This is one of the rare exceptions to the "reinstall rule" and may greatly reduce any downtime.

Finally, the recovery phase can begin. This is the process of reintegrating the system into a production network. Ensure that the cause of the incident has been addressed before reintroducing the affected system. This means reviewing the security policy, adjusting any packet filtering rules, reviewing user permissions, and installing vendor patches to the affected systems as required.