NIST SP 800-61
Handling an Incident
3.4. Eradication and Recovery
After an incident has been contained, eradication may be necessary to eliminate components of the
incident, such as deleting malware and disabling breached user accounts, as well as identifying and
mitigating all vulnerabilities that were exploited. During eradication, it is important to identify all affected
hosts within the organization so that they can be remediated. For some incidents, eradication is either not
necessary or is performed during recovery.
In recovery, administrators restore systems to normal operation, confirm that the systems are functioning
normally, and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery may involve
such actions as restoring systems from clean backups, rebuilding systems from scratch, replacing
compromised files with clean versions, installing patches, changing passwords, and tightening network
perimeter security (e.g., firewall rulesets, boundary router access control lists). Higher levels of system
logging or network monitoring are often part of the recovery process. Once a resource is successfully
attacked, it is often attacked again, or other resources within the organization are attacked in a similar
Eradication and recovery should be done in a phased approach so that remediation steps are prioritized.
For large-scale incidents, recovery may take months; the intent of the early phases should be to increase
the overall security with relatively quick (days to weeks) high value changes to prevent future incidents.
The later phases should focus on longer-term changes (e.g., infrastructure changes) and ongoing work to
keep the enterprise as secure as possible.
Because eradication and recovery actions are typically OS or application – specific, detailed
recommendations and advice regarding them are outside the scope of this document.