Containment, Eradication, and Recovery
This is the sharp end of incident response: actually stopping the attacker and getting the business back, in the right order, without making it worse. Contain to stop the bleeding, eradicate to remove every trace of access, recover to restore trustworthy operation — and the failure mode at each step is doing it half-way.
This topic works the concrete decisions against Meridian's incident, where the tension between speed, evidence, and completeness is real and the wrong call restarts the breach.
Containment Decisions
Isolate the affected hosts (EDR network-isolation from Chapter 7), disable compromised accounts and rotate their credentials, and block command-and-control egress (Chapter 4). The key judgment is doing this comprehensively and near-simultaneously — so the attacker cannot simply shift to another foothold you left connected while you deal with the first.
The Contain-Everything-at-Once Rule
Partial containment tips off the attacker, who then burns their remaining access fast — destroying data or detonating ransomware. Scoping first (the forensics of the previous topic) so you can contain the whole intrusion together is why forensics and response interleave rather than run in sequence: you need the full map before you move, so the move is complete.
Eradication — Remove All Access
Every foothold, web shell, persistence mechanism (Chapter 8), backdoor account, and stolen credential must go — and the scope from forensics defines what "all" means. Missing one persistence entry means the attacker walks back in, which is why eradication is driven by the forensic scope rather than by what is obvious. Thoroughness here is the difference between an incident that closes and one that reopens.
Recovery — Restore to Known-Good
Rebuild from trusted images or backups (not the compromised state), patch the entry vector so recovery does not reintroduce the hole, restore service in a controlled order, and monitor intensively for the attacker's return. Meridian's eviction is concrete: simultaneous isolation and credential rotation across the scoped hosts, eradication of the implant and its persistence, rebuild from known-good, patch the web vulnerability that was the entry (Chapter 6), and heightened monitoring.
Immediate — isolate the moment you detect; stops damage fast, but on partial scope it tips the attacker and misses footholds.
Delayed (watch-and-scope) — observe briefly to map the full intrusion, then contain everything at once; catches all footholds but risks the attacker acting during the window. High-damage cases (ransomware staging, active exfiltration) force immediate; stealthy footholds may warrant brief scoping first.
- Partial containment that tips off the attacker, who then destroys data or detonates ransomware with their remaining access.
- Incomplete eradication — missing one persistence mechanism or backdoor account — so the attacker returns and the incident reopens.
- Recovering from the compromised state or an infected backup, or restoring without patching the entry vector, reintroducing the breach.
- Bringing everything back at once with no heightened monitoring, so a missed foothold goes unnoticed until it is too late.
- Containing before scoping, so the move is incomplete and the attacker shifts footholds.
- Scope first, then contain the whole intrusion together — isolate hosts, disable and rotate credentials, block command-and-control near-simultaneously.
- Eradicate to the forensic scope: every foothold, persistence, backdoor, and stolen credential, verified.
- Recover from known-good images or backups, patch the entry vector, and restore in a controlled order.
- Monitor intensively after recovery for the attacker's return, and keep evidence intact throughout.
- Match containment speed to the threat — immediate for active destruction, brief scoping for stealthy footholds.
Knowledge Check
Why contain the whole intrusion at once rather than one host at a time?
- It tips off the attacker, who burns remaining access to do damage
- Isolating hosts one at a time is technically impossible on modern networks
- One-at-a-time containment violates data-retention law
- Simultaneous containment removes any need for later forensics
What defines "complete" eradication?
- Removing every foothold, backdoor, and stolen credential in scope
- Deleting the single malicious file that first triggered the alert
- Rebooting all of the affected hosts once
- Changing the primary admin password once
Why patch the entry vector as part of recovery?
- Restoring without fixing the hole just reopens it
- Patching noticeably speeds up the restore process
- The entry vector is nearly always the backup system itself
- Patching removes the need for monitoring after recovery
You got correct