3.2.4. Containment, Eradication, and Recovery

First Principle: Containment stops the bleeding, eradication removes the infection, and recovery restores normal operations. These must happen in sequence — eradicating without containment lets the attacker re-establish access, and recovering without eradication reintroduces the vulnerability.

Containment Actions (Immediate — Stop the Threat):

Eradication Actions (Thorough — Remove the Root Cause):

• Delete unauthorized IAM users, roles, and access keys created by the attacker
• Terminate compromised instances (AFTER forensic capture)
• Rotate all credentials that may have been exposed
• Patch the vulnerability that enabled initial access
• Remove any backdoors (Lambda functions, EC2 instances in unusual Regions)

Recovery Actions (Controlled — Restore Normal Operations):

• Deploy new, hardened instances from validated AMIs
• Restore data from verified clean backups (confirm backups weren't compromised)
• Re-enable services with enhanced monitoring
• Gradually remove containment controls as confidence increases
• Validate recovery with Resilience Hub assessments

⚠️ Exam Trap: Restoring from backups without verifying them is dangerous — if the attacker was present when backups ran, the backup may contain the backdoor. Always validate backup integrity before restoration.

Scenario: After containing a credential compromise, the eradication phase reveals the attacker created a Lambda function in ap-southeast-1 that runs every 5 minutes to re-create the compromised access key. Without checking all Regions during eradication, the attacker maintains persistent access.

Reflection Question: Why must eradication search ALL Regions and ALL accounts rather than just the ones where the initial compromise was detected?