U.S. Department of Health and Human Services
After an incident has been contained and evidence preserved, as appropriate, eradication may be necessary to eliminate components of the incident. Deleting malicious code and disabling breached user accounts are examples of eradication. For some incidents, eradication is either not necessary or is performed during recovery.
During recovery, IT Administrators restore systems to normal operation and, as necessary, harden systems to prevent similar incidents. Recovery may involve such actions as restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and adding or strengthening other security controls.
Page 6 of 12
Operations and Maintenance Phase
Incident Eradication and Recovery