Back to course

Containment and Eradication in IR

Cyber Security Mastery: From Zero to Hero

Stopping the Bleeding

3. Containment

Once an incident is verified, the priority is stopping the attacker from doing further damage and preventing the infection from spreading. This is often the most challenging phase.

  • Short-Term: Isolating the compromised host from the network (e.g., unplugging the network cable, blocking traffic at the firewall).
  • Long-Term: Changing passwords, disabling compromised accounts, taking forensic images of affected systems before remediation.

4. Eradication

This is the phase where the root cause is identified and permanently removed.

  • Root Cause Analysis: Determining the initial vulnerability (e.g., 'An outdated web server was exploited').
  • Cleanup: Removing all attacker artifacts (backdoors, malicious services, user accounts, and malware).
  • Patching: Fixing the original vulnerability that allowed the breach.