Threat Remediation
Eliminate security threats and restore system integrity with comprehensive remediation procedures.
What is Threat Remediation?
Threat remediation is the process of completely removing malicious activity and closing security gaps to prevent re-infection. Unlike containment (which stops the threat from spreading), remediation eliminates the root cause.
| Action | Description |
|---|---|
| Remove Malware | Delete malicious files and processes |
| Close Entry Points | Patch vulnerabilities used in attack |
| Reset Credentials | Change compromised passwords |
| Verify Cleanup | Confirm threat is fully eliminated |
Remediation by Threat Type
Different threats require different remediation approaches:
Malware & Ransomware
- Isolate Infected Systems - Disconnect from network to prevent lateral movement
- Identify Malware Variant - Use CastellanAI's malware scanner to identify strain and behavior
- Remove Malicious Files - Delete malware executables, scripts, and persistence mechanisms
- Clean Registry/Startup - Remove malware auto-start entries and registry keys
- Verify Removal - Run full system scan to confirm malware is gone
Compromised Credentials
- Identify Scope - Determine which accounts were compromised and their access level
- Force Password Reset - Immediately reset passwords for all affected accounts
- Revoke Active Sessions - Terminate all existing sessions and tokens
- Enable MFA - Require multi-factor authentication for affected accounts
- Audit Account Activity - Review actions taken by compromised accounts for unauthorized changes
Vulnerability Exploitation
- Identify Vulnerability - Determine which CVE or 0-day was exploited
- Emergency Patching - Apply security patches to vulnerable systems immediately
- Check for Backdoors - Scan for persistent access mechanisms installed via exploit
- Harden Configuration - Disable unnecessary services and features to reduce attack surface
- Scan for Similar Vulnerabilities - Check other systems for the same or related vulnerabilities
Insider Threat
- Disable Account - Immediately suspend insider's account and access
- Preserve Evidence - Capture audit logs and forensic data before remediation
- Review Access History - Audit all data accessed and actions taken by insider
- Recover/Restore Data - Restore deleted or exfiltrated data from backups if needed
- Review Access Controls - Implement least-privilege access and enhanced monitoring
CastellanAI Remediation Tools
Malware Removal Assistant
AI-powered tool that identifies malware location, dependencies, and persistence mechanisms, then guides you through safe removal.
Access: Incident Details -> Actions -> Run Malware Removal Assistant
Credential Reset Tool
Bulk password reset and session revocation for compromised accounts across your organization.
Access: Settings -> User Management -> Bulk Actions -> Reset Credentials
Vulnerability Scanner
Scans systems for known vulnerabilities and missing patches, prioritized by exploitability.
Access: Agents -> Select Agent -> Actions -> Run Vulnerability Scan
System Restore Point
Creates and restores system snapshots to known-good configurations before infection.
Access: Incident Details -> Actions -> System Recovery
Post-Remediation Verification
After remediation, verify the threat is completely eliminated:
- Full System Scan - Run comprehensive malware scan on all affected systems
- Monitor for 72 Hours - Watch for signs of re-infection or persistence mechanisms
- Verify IoCs Cleared - Confirm all Indicators of Compromise are no longer present
- Test System Functionality - Ensure normal operations have been restored
- Update Detection Rules - Create custom rules to detect similar threats in the future
Best Practices
Do's
- Document Everything - Record all remediation steps for audit trail and future reference
- Preserve Forensic Evidence - Collect forensic data before remediation for investigation and legal needs
- Test in Isolation First - When possible, test remediation steps on isolated systems before production
- Have Backups Ready - Ensure recent backups are available before attempting remediation
Don'ts
- Don't rush critical systems - Plan remediation carefully for business-critical systems to minimize downtime
- Consider re-imaging - For severe infections, rebuilding from clean images may be faster and more reliable
What's Next?
- Incident Workflows - Standardize response procedures
- Custom Detection Rules - Prevent similar threats
- Generating Reports - Document remediation efforts
Need Help?
Our incident response team can help with complex threat remediation.