Okay, so now we're going to take a quick background look at eradication [COUGH]. Again, just to set you up to do the handson- skills stuff so that you know when we get there what the tools are and why we're using the way that we're using them. But let's talk a little bit about what eradication actually is an one thing that you have to remember is it deals primarily would actually cleaning an removing or re-imaging of systems. In other words, you know where the threat is. You contain the threat. Now you removing the threat and sometimes that just requires cleaning or removing a piece of malware with some malware removal tool. Other times it requires a complete re-imaging. A lot of times organizations have adopted the concept of less, just re-image. Because that's more complete generally than just using a tool to remove it, and it's usually a little bit faster. It might take a tool an hour to scan an entire drive an hour, remove traces of that malware where it might take a re-image in process, like 10 minutes, so it just depends on what the situation is, but generally you see organizations operating re-imaging over trying to manually or go through some process to remove some malware. But the key here, the most important thing when it comes to you eradication is documentation. Because if for some chance your eradication effort falls short, in other words, you go through the whole eradication phase you move on to our recovery and you discover that you haven't completely eradicated things after the fact. Now you gotta go back to eradication or your documentation is going to tell you generally what you miss or what you didn't do it. Also give you a nice footprint of what you did so that you can make sure you do those things pretty swiftly over again, but also show you areas that you might have missed. Now it should work. You should be working from documented and approved steps. I like to say, line 929 understanding because look, most of us that do this on a professional level we've done incident response, an pen-testing and threat hunting for a really, really long time. So if we lean mostly to our understanding, we could get lost in this thing. Your experience could be your enemy as you get lost in the weeds of trying to figure this out and figured it out. And sometimes things that satisfy my own curiosity may not be working in the best effort of the incident response effort, right? So we have to make sure that we follow these documented and approved steps to keep us from going too far into the weeds. A lot times what I'll do is I'll ask for permission from my clients, hey, we're going to move on to the next phase. We've got this to where we need to be. However, I'd like to keep a sample of this malware so that I could study it a little bit more later when I have time. That's going to give me more understanding of it, but it's also going to give me information to come back and give you after the fact I'm about the situation, so leave that for that. Peeking your own curiosity and satisfying young curiosity that should not be something that is a primary goal of you helping this organization officer eradication process. Also, preventative methods can be improved here. You will find through your eradication a lot of times, what did it in work? Scanning every stored in re-image systems to ensure infections are gone as another step that you want to do here and I always look at that step. The scanning and testing is kind of a hybrid or a bridge that happens generally in eradication and it may be happening recovery some as well. The main goal is to make sure that the threat is completely removed. In other words, there's no traces of threat as you know it. Now the key here is your working off of a set of IOCs that you know about, okay? If later you discover that the threat is still there and there's a new IOC that pops out that you didn't know about before, that just means that your identification and your containment something might have slipped through the cracks back in that phase, but the world doesn't end like if you get to the next phase and you discover that you didn't completely eradicate things, just move back, go back and start at where you need to start from work the process again. Nothing is perfect, nobody's perfect. And if someone tells you that every incident they've ever worked on with perfectly from beginning to end, I will challenge you to say that they haven't worked on a lot of incidents. So with the cleaning in the wiping and restoration really the cleaning should be at the. And process, because let me just tell you some things that I've seen happen. Okay, I've seen what organizations say these systems are infected, they need to be clean and they give that system to IT or desktop support, whoever. That definition, that organizations if you take its definition of cleaning it may be different than the definition that incident response or security had in mind. So you have to keep that in mind. A lot of times the definition of cleaning that system may be different just from department to department. So you need to make sure that as an Incident Response Team when you hand it off, if you hand it off to another team to clean, make sure you define what that actually means, because I've seen that be a hiccup more than once. Okay, now reimaging may not be enough. We have bio's rootkits, we have boot sick, their boot sector rootkits. We have other things that is that's able to embed itself in hardware now. Okay, so you want to make sure that you do a thorough job when we say cleaning, wiping, restoration. Define whose role was cleaning and then follow up on what the actual steps are for cleaning. Is it just running a Navy tool or is it actually re-imaging? Okay, use original disk images where possible, remember to patch back up to the latest. Because another thing we see happen is people reimage and then they forget about the fact that they have to re patch. Because there is a lot of things that could have happened between the last time you built a new image and the patches that have come out. There could have been 100 patches come out. 100 more patches come out since you last built the fresh image. I've seen some organizations working off images that are literally five or six years old. They image that 5 year old image and then they stack everything on top of that. This gives you the opportunity, this is a good opportunity for you to have that conversation and we'll talk about this at the end when we go in the recommendations. You want to make sure you not make a note if you run into that to let them know that they should probably be refreshing their images a lot more frequently. If its years long before they're doing that. You want to also remember to check the images. There's been at least two cases I've worked on where they kept reimaging and we kept finding IOCs. They kept reimaging, we kept finding IOCs and it turned out that a couple of the image is not all of them, but a few of the specific images for a certain apartment or compromise as well. So every time they re-image they were reintroducing the threat back into the environment. So you want to make sure you check your images to make sure they're good as well, right? Now, cloud considerations you no longer have physical access to stuff. So when we talk about eradication and getting the stuff off of the systems and things like that and sanitizing. All these things are going to take on slightly different meanings now. Okay eradication made mean something different. If your definition in your incident response policy and your playbook says we eradicate a threat off of a hard drive, that means we physically type that hard drive out and replace it with a new one. Well guess what? If you're that extreme with it, when you may have migrated everything to cloud services, that is no longer something that you're able to do because essentially there really is no physical hard drive anymore. Right, so you have to address these things so that you're not putting yourself in a position to where you're not even following your own IR playbook. Because your playbook is outdated per you migrating the cloud services. Okay now there is definitely a lot of advantages like re-imaging will get exponentially easier when you look at how we do it in the cloud world. And you want to make sure that you communicate with the cloud service provider during the preparation phase because if you don't you're kind of behind right? When you're doing your preparation and you're drawing these plans up, you want to reach out to the cloud service about it then. Because now you know what your possibilities are when you get to that phase. Okay, so you can design everything around that. Summaristically have an organizational definition of what eradication actually means. Don't confuse eradication with the ending of the incident because we still gotta do recovery and follow up. All these things are part of it and we'll see why in the next sections. Consider and measure advantages and disadvantages inherited by using cloud services. This might be a tabletop exercise that you need to go through in partnership with your CSP. And by that I mean having maybe a CSP representative in the meeting or in the phone call where you're doing your tabletop walkthrough of responding to an incident. So you can see where they might fit in better. Okay, so I hope that that provided you some insight and gave you some things to add onto your going download the NIST framework and building your policies. We try to in these sessions point out things that might not be so obvious and hopefully you got something out of this one. Thank you and I hope you see you in the next one.
