Eradication
The purpose of the eradication phase is to remove the cause and residual components of a cyber security incident. Removing it from affected systems should make sure the incident can’t happen again through the same mechanism.
Eradication may be carried out by IT support or other third parties. The SLT digital lead is responsible for making sure eradication is carried out as far as possible.
For most incidents, eradication should not be delayed once containment is stable. Delays can increase risk of reinfection or exploitation. However, there may be circumstances (like collecting or preserving evidence) that mean you must complete appropriate actions before eradication.
Ensure IT support and SLT digital leads communicate regularly during this phase, especially where partial system reinstatement is being considered.
If you use third-party IT support you must ensure you get written confirmation that affected systems have been fully cleaned and secured against future attacks.
The process of reducing vulnerability (“hardening”) helps minimise the attack surface – the number of ways a system can be exploited by malicious or accidental attack. The aim is to make it harder for anyone to exploit weaknesses and gain access to systems, data, or networks.
Objectives
You should:
- identify and remove malware, unauthorised access methods, and compromised user accounts
- verify any vulnerabilities exploited during the incident have been closed or mitigated
- remove persistence mechanisms such as backdoors, scheduled tasks or rogue admin tools
- document what has been done to support root cause analysis and post-incident review
Generic eradication actions
These actions are mostly technical and in the scope of IT support actions. The SLT digital leader or incident lead should oversee and support the process as needed.
The following steps should be considered where relevant. Not all actions will apply in every case.
1. Reconfirm scope of affected systems
- revalidate which systems, users, and networks were affected
- double-check logs and threat intelligence from reliable sources (where available and relevant) to ensure no systems were missed during containment
2. Remove malware or malicious artifacts
- use up-to-date antivirus/endpoint detection and response tools to perform deep scans
- delete or quarantine identified malware files
- remove malicious scripts, PowerShell commands or unauthorised binaries
- remove suspicious scheduled tasks, registry entries or run keys
3. Disable and replace compromised accounts
- reset or disable any accounts suspected of compromise if not already completed during the Containment phase
- reissue credentials using strong password policies and if possible multi-factor authentication
- audit recent activity from these accounts for signs of movement and resource access where attackers could be navigating through compromised networks or systems looking for valuable data, higher privileges, or critical assets
4. Patch and harden vulnerable systems
- check for (and if necessary, apply) missing security patches or configuration changes to remove the attacker’s access vector
- harden system configurations such as disabling SMBv1 and enforcing least privilege
- close any unnecessary firewall ports or disable unused services temporarily
5. Review and update security rules
- adjust firewall, intrusion detection/prevention systems or filtering rules to block known indicators of compromise (IOCs)
- add newly discovered IOCs to email filters or endpoint protection blacklists
6. Clear temporary access or exceptions
- remove any short-term workarounds created during the containment phase such as bypassed restrictions and emergency accounts
- document all changes and confirm their removal
7. Retest systems for clean status
- re-scan systems post-eradication
- use different tools or techniques than during initial scans to increase detection coverage if possible
Record keeping and handover
- log all eradication actions, including timestamps and who performed them
- update incident logs
- handover clean systems and provide a status report to the cyber recovery team