Week 13 — Incident Response: Containment, Eradication & Recovery¶

CONTAINMENT → Stop the bleeding
ERADICATION → Remove the attacker / malware
RECOVERY    → Restore normal operations

IMMEDIATE:
  1. Isolate affected system(s) — network disconnect (not power off)
     → Preserve memory contents for forensics
     → Prevent further lateral movement

  2. Identify blast radius
     → Query EDR for similar process activity across all endpoints
     → Check SIEM for same C2 IP/domain across network
     → Review network logs for lateral movement from patient zero

  3. Block malicious indicators at perimeter
     → Firewall rules blocking C2 IPs/domains
     → Email gateway rules blocking malicious sender
     → DNS sinkholing for C2 domains

DECISION POINT — To power off or not?
  Power off: Destroys volatile memory (running processes, decryption keys)
  Keep on: Risk of continued encryption / data exfiltration

  Best practice: Take memory dump FIRST, then network isolate

IMMEDIATE:
  1. Disable compromised account(s) — NOT just reset password
     → Attacker may have secondary persistence (new account, SSH key)
     → Active sessions must be killed

  2. Invalidate all active sessions (tokens, Kerberos tickets)
     net user compromised_user /active:no  (disable)
     krbtgt password reset ×2             (invalidate Kerberos tickets)

  3. Audit all actions taken by compromised account
     → SIEM query: all events where user = compromised_account
     → Focus: file access, email sent, systems touched

  4. Check for persistence backdoors
     → New accounts created during compromise window
     → Forwarding rules on email account
     → Changes to group memberships

IMMEDIATE:
  1. Block exfiltration channel (specific IP, domain, port)
  2. Preserve evidence of exfiltration (don't block without logging)
  3. Notify legal — regulatory notification may be required
  4. Determine what data was exfiltrated:
     → DLP logs, proxy logs, email logs
     → Volume of data transferred (timing + bytes)
     → Destination IP/domain correlation with threat intelligence

MOST VOLATILE → LEAST VOLATILE

1. CPU registers, cache        (lost on power off)
2. Running processes           (lost on power off)
3. Network connections         (lost on power off)
4. Memory (RAM)                (lost on power off)
5. Swap/pagefile               (lost on power off)
6. File system timestamps      (may change on access)
7. Disk content                (relatively stable)
8. Remote logging (SIEM)       (most stable)
9. Physical media              (stable)

CHAIN OF CUSTODY FORM:
  Case Number: IR-2026-0001

  Evidence Item #1:
    Description: Dell Latitude 7490, SN: ABC123456
    Collected by: [Name, Role]
    Date/Time: 2026-04-14 14:32 EDT
    Location: Building A, Floor 3, Desk 42
    Condition: Powered on, network cable removed
    SHA-256 (disk image): abc123...

  Transfer log:
    From: Field Analyst → To: Forensic Lab
    Date/Time: 2026-04-14 15:00 EDT
    Method: Hand carry, sealed evidence bag
    Received by: [Lab Technician Name]

□ MALWARE REMOVAL
  Identified all affected systems (don't assume it's just the first one found)
  Removed malware from all affected systems
  Verified with multiple AV/EDR tools (one tool may miss)

□ ATTACKER PERSISTENCE REMOVAL
  Disabled/deleted backdoor accounts
  Removed scheduled tasks / services created by attacker
  Cleaned registry Run keys
  Removed web shells from web servers
  Revoked SSH keys / certificates added by attacker

□ VULNERABILITY PATCHING
  Patched the vulnerability that allowed initial access
  Applied additional patches to reduce attack surface

□ CREDENTIAL RESET
  Forced password reset for all potentially compromised accounts
  Reset service account passwords
  If DA compromised: reset krbtgt password TWICE (24h apart)
  Rotated API keys, certificates, application credentials

□ VERIFICATION
  Threat hunting across all endpoints for same IoCs
  Confirm C2 communication has ceased
  Review SIEM for recurrence of attack patterns

OPTION A: Restore from known-good backup
  Verify backup predates compromise
  Restore to isolated environment first
  Verify integrity → reconnect to production

OPTION B: Rebuild from scratch
  Format and reinstall OS
  Apply all patches before reconnecting to network
  Restore only data (not applications) from backup

OPTION C: Partial cleanup (high-risk)
  Only for time-critical systems where rebuild isn't feasible
  Remove known malware components
  Monitor intensively for recurrence
  Plan full rebuild at next maintenance window

□ Antivirus full scan (clean result)
□ EDR showing no active threats or suspicious behavior
□ All critical patches applied (OS + applications)
□ Credentials changed (local admin, service accounts)
□ Monitoring/logging verified (SIEM ingesting events)
□ Backup verified (clean known-good backup exists)
□ Business owner sign-off
□ Security team sign-off

AGENDA:
  1. Incident timeline (neutral, factual)
  2. What worked well?
  3. What gaps did we discover?
  4. Root cause analysis (not blame — 5 Whys technique)
  5. Action items with owners and due dates
  6. IRP updates required

PARTICIPANTS:
  IR team, SOC, IT ops, legal, management (as appropriate)
  External forensics firm (if engaged)

EXECUTIVE SUMMARY (1 page):
  Incident type, date range, business impact, key decisions made

DETAILED TIMELINE:
  Chronological log of every action with timestamps

ROOT CAUSE:
  Technical cause + organizational contributing factors

IMPACT ASSESSMENT:
  Systems affected, data potentially exposed, downtime cost

REMEDIATION:
  What was done to contain, eradicate, and recover

LESSONS LEARNED & RECOMMENDATIONS:
  Specific, actionable items with priority ratings