In today’s fast-paced digital world with increasing cyber attacks, organizations should be aware of incident response steps because effective incident response can help to minimize the impact of security incidents and reduce the risk of data breaches. The most important steps for incident response are:
Preparation: Establish a plan for incident response, including roles and responsibilities, communication channels, and procedures for containing and investigating incidents.
Identification: Quickly identify and confirm that an incident has occurred. This may involve monitoring network and system logs, using intrusion detection systems, and analyzing suspicious activity.
Containment: Once an incident has been identified, contain it to prevent further damage. This may involve isolating affected systems or networks and limiting user access.
Investigation: Determine the scope and impact of the incident, gather evidence, and identify the root cause of the incident. This may involve conducting forensic analysis, interviewing witnesses, and reviewing system and network logs.
Eradication: Remove the cause of the incident and ensure that all affected systems and networks are clean and secure. This may involve removing malware, patching vulnerabilities, and updating security controls.
Recovery: Restore affected systems and networks to their normal operating state. This may involve restoring from backups, repairing or replacing hardware, and reconfiguring network and security settings.
Lessons learned: Conduct a post-incident review to identify areas for improvement in incident response processes and procedures.
Eradication is one of the most important steps in incident response because it is crucial to fully eliminate the cause of the incident to prevent future attacks and minimize the potential impact on the organization. The goal of eradication is to remove any malware or malicious code, patch vulnerabilities, and strengthen security controls to prevent similar incidents from occurring in the future.
Failing to effectively eradicate the incident can lead to continued exposure to attackers, potentially leading to further data breaches or other security incidents. This can result in additional costs, lost productivity, and reputational damage.
In addition, taking swift and effective action during the eradication process can help to demonstrate to customers, partners, and regulatory bodies that the organization takes security seriously and is committed to protecting sensitive information.
Therefore, this article provides the most important measurements for Linux and Windows systems.
Eradication
It is recommended to re-image the compromised device. After re-imaging run a malware / virus scan to check whether the back has been already infected or not. Consider that the database of your scanner is updated.
However if no back-ups are available or shutting down the system is not possible start with removing and run the following steps.
- Reset the passwords for all local accounts and delete any accounts created by the virus.
- If a detection measure like antivirus or firewall has been disabled/manipulated by the virus on the infected system, reactivate them or update their databases.
- Close all unnecessary ports and services, and reset the configuration files for services if necessary.
- Delete any modifications to drivers, the operating system, or kernel (rootkit) and revert any firmware modifications.
- Delete any cron jobs created by the virus and undo any manipulations to cron jobs.
- Delete any SSH keys created by the virus.
Linux:
- Running processes: Use the “ps” command to list all the running processes and check for any suspicious processes that you do not recognize or expect to see running.
- Network connections: Use the “netstat” command to list all the network connections and check for any suspicious connections that you do not recognize or expect to see.
- System logs: Check the system logs (such as “/var/log/syslog” or “/var/log/messages”) for any suspicious entries or errors that indicate malware activity.
- File system: Check the file system for any suspicious files or directories that have been created or modified recently, especially in the home directory and /tmp directory.
- Installed packages: Use the package manager to list all the installed packages and check for any suspicious packages that you do not recognize or expect to see.
Windows
- Task Manager: Check the Task Manager for any suspicious processes or programs that are consuming a lot of CPU or memory resources. Malware often runs in the background, so any suspicious processes should be investigated.
- Startup programs: Check the list of startup programs to see if any malware is set to run automatically when the computer starts up. Malware often adds itself to the startup list so it can run every time the computer is turned on.
- Windows Registry: Check the Windows Registry for any suspicious entries that have been added or modified. Malware often adds entries to the Registry to ensure that it runs every time the computer starts up.
- System files: Check the system files for any files that have been modified or replaced by malware. Malware often replaces system files with its own malicious code.
- For Windows systems, avoid restoring the system from restore points as they are likely to be infected (consider deleting the restore points), and check the web browser’s extensions and plugins for any unknown ones. Malware often installs browser extensions to steal information or display ads.
- Network connections: Use the “tcpview” command to list all the network connections and check for any suspicious connections that you do not recognize or expect to see.