█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Incident Response/Containment and Eradication
35 minIntermediate

Containment and Eradication

After this lesson, you will be able to: Apply short- and long-term containment, remove threats fully, and preserve forensic evidence in the process.

Once you know there's an incident, your next decisions matter most. Move too fast and you destroy evidence. Too slow and the attacker spreads. This lesson covers the calculus.

Prerequisites:Detection and Analysis

Short-term vs long-term containment

Short-term, stop the immediate damage (isolate host from network, disable account, kill process). Long-term, prevent re-entry while you investigate (firewall rules, credential resets, segmentation). Don't skip straight to nuke-and-pave, without the long-term step, the attacker often returns through the same door.

💡 Preserve evidence before you wipe

Capture memory, disk image, and logs before reimaging. Once a host is wiped, the forensic story is gone, you can't go back later to figure out what they took. Tools: FTK Imager, Belkasoft RAM Capturer, KAPE.

Eradication

Remove malware, persistence mechanisms (scheduled tasks, registry keys, cron jobs), backdoor accounts. Rotate all credentials the attacker may have touched. Patch the vulnerability that let them in, otherwise the next attacker walks through it. Re-image rather than 'clean' when possible.

Common mistakes

Containing only what's been confirmed compromised, the attacker is usually further than you think. Forgetting non-Windows systems (Linux, cloud, SaaS). Resetting only one user when others were touched. Eradicating malware but leaving the attacker's persistence (a new scheduled task, a webshell file).

Quick Check

Compromised laptop. First action?

Choose the right call.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Detection and Analysis
Back to Incident Response
Recovery and Post-Incident→