Eradicate

During the eradication phase, it is important to identify and address all affected accounts, resources, and instances - such as by deleting malware, removing compromised user accounts, and mitigating any discovered vulnerabilities - to apply uniform remediation across the environment.

It is a best practice to use a phased approach to eradication and recovery, and to prioritize remediation steps. The purpose of the early phases is to increase the overall security quickly (days to weeks) with high-value changes to prevent future events. The later phases can focus on longer-term changes (for example, infrastructure changes), and ongoing work to keep the enterprise as secure as possible. Each case is unique and AWS CIRT will work with you to assess necessary actions.

Consider the following:

Can you re-image the system and harden it with patches or other countermeasures to prevent or reduce the risk of attacks?
Can you replace the infected system with a new instance or resource, enabling a clean baseline while terminating the infected item?
Have you removed all malware and other artifacts left behind by the unauthorized use, and hardened the affected systems against further attacks?
Is there a requirement for forensics on the impacted resources?

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Contain

Recover