Threat Remediation
Eliminate security threats and restore system integrity with comprehensive remediation procedures.
Unlike containment (which stops threats from spreading), remediation eliminates the root cause and prevents re-infection.
What is Threat Remediation?โ
Threat remediation is the process of completely removing malicious activity and closing security gaps.
| Action | Description |
|---|---|
| Remove Malware | Delete malicious files and processes |
| Close Entry Points | Patch vulnerabilities used in attack |
| Reset Credentials | Change compromised passwords |
| Verify Cleanup | Confirm threat is fully eliminated |
Remediation by Threat Typeโ
- ๐ฆ Malware/Ransomware
- ๐ Compromised Credentials
- ๐ Vulnerability Exploitation
- ๐ค Insider Threat
Malware & Ransomware Remediationโ
| Step | Action | Details |
|---|---|---|
| 1 | Isolate Infected Systems | Disconnect from network |
| 2 | Identify Malware Variant | Use malware scanner to identify strain |
| 3 | Remove Malicious Files | Delete executables, scripts, persistence |
| 4 | Clean Registry/Startup | Remove auto-start entries |
| 5 | Verify Removal | Run full system scan |
For ransomware, do NOT pay the ransom. Restore from clean backups after remediation.
Compromised Credentials Remediationโ
| Step | Action | Details |
|---|---|---|
| 1 | Identify Scope | Determine which accounts compromised |
| 2 | Force Password Reset | Reset all affected accounts immediately |
| 3 | Revoke Active Sessions | Terminate all existing sessions/tokens |
| 4 | Enable MFA | Require multi-factor authentication |
| 5 | Audit Account Activity | Review for unauthorized changes |
One compromised account may mean others are affected. Check for credential reuse.
Vulnerability Exploitation Remediationโ
| Step | Action | Details |
|---|---|---|
| 1 | Identify Vulnerability | Determine CVE or 0-day exploited |
| 2 | Emergency Patching | Apply security patches immediately |
| 3 | Check for Backdoors | Scan for persistent access mechanisms |
| 4 | Harden Configuration | Disable unnecessary services |
| 5 | Scan Similar Systems | Check for same vulnerabilities |
Insider Threat Remediationโ
| Step | Action | Details |
|---|---|---|
| 1 | Disable Account | Immediately suspend insider's access |
| 2 | Preserve Evidence | Capture audit logs before remediation |
| 3 | Review Access History | Audit all actions taken by insider |
| 4 | Recover/Restore Data | Restore from backups if needed |
| 5 | Review Access Controls | Implement least-privilege access |
Coordinate with HR and Legal before taking action on insider threats.
CastellanAI Remediation Toolsโ
- ๐งน Malware Removal
- ๐ Credential Reset
- ๐ Vulnerability Scanner
- ๐พ System Restore
Malware Removal Assistantโ
AI-powered tool that identifies malware location, dependencies, and persistence mechanisms.
Access: Incident Details โ Actions โ Run Malware Removal Assistant
Features:
- Automatic malware family identification
- Persistence mechanism detection
- Safe removal guidance
- Cleanup verification
Credential Reset Toolโ
Bulk password reset and session revocation for compromised accounts.
Access: Settings โ User Management โ Bulk Actions โ Reset Credentials
Features:
- Bulk password reset
- Session revocation
- MFA enforcement
- Activity audit
Vulnerability Scannerโ
Scans systems for known vulnerabilities and missing patches.
Access: Agents โ Select Agent โ Actions โ Run Vulnerability Scan
Features:
- CVE detection
- Missing patch identification
- Risk prioritization
- Remediation guidance
System Restore Pointโ
Creates and restores system snapshots to known-good configurations.
Access: Incident Details โ Actions โ System Recovery
Features:
- Pre-infection snapshots
- Clean configuration restore
- Application state recovery
- Verification testing
Post-Remediation Verificationโ
After remediation, verify the threat is completely eliminated:
| Step | Description | Timeframe |
|---|---|---|
| Full System Scan | Run comprehensive malware scan | Immediately |
| Monitor for 72 Hours | Watch for signs of re-infection | 72 hours |
| Verify IoCs Cleared | Confirm all indicators are gone | After monitoring |
| Test System Functionality | Ensure normal operations restored | After verification |
| Update Detection Rules | Create rules to detect similar threats | After closure |
Best Practicesโ
- โ Do's
- โ Don'ts
Remediation Do'sโ
| Practice | Reason |
|---|---|
| Document Everything | Audit trail and future reference |
| Preserve Forensic Evidence | Investigation and legal needs |
| Test in Isolation First | Avoid production issues |
| Have Backups Ready | Recovery option if remediation fails |
| Coordinate with Stakeholders | Minimize business disruption |
Remediation Don'tsโ
| Avoid | Reason |
|---|---|
| Rushing critical systems | May cause outages |
| Skipping verification | Threat may persist |
| Ignoring related systems | Infection may have spread |
| Deleting without backup | May need evidence or recovery |
For severe infections, rebuilding from clean images may be faster and more reliable than manual cleanup.
๐ Remediation Checklist
- Threat identified and contained
- Evidence preserved for investigation
- Malicious files/processes removed
- Entry point closed (vulnerability patched)
- Compromised credentials reset
- Full system scan completed
- 72-hour monitoring completed
- System functionality verified
- Detection rules updated
- Incident report generated
- Post-mortem scheduled
What's Next?โ
| Guide | Description |
|---|---|
| Incident Workflows | Standardize response procedures |
| Custom Detection Rules | Prevent similar threats |
| Generating Reports | Document remediation efforts |
| Taking Action | Execute response actions |
Our incident response team can help with complex threat remediation. Contact Support