During the Eradication and Remediation phase, which statement best describes its importance and sequencing?

• A. Arguably the most important phase of the process, eradication aims to remove the threat and restore business operations to a normal state. However, successful eradication cannot occur until the full scope of the intrusion is understood. A rush to this phase usually results in failure. Remediation plans are developed, and recommendations are implemented in a planned and controlled manner.
• B. It is primarily focused on preserving evidence for compliance.
• C. It is the time to immediately shut down all networks.
• D. It is about documenting lessons learned for training.

Answer: (C)

The key idea here is that eradication and remediation focus on removing the attacker’s presence and artifacts and then restoring systems to a secure, normal state in a controlled, verifiable way. This phase depends on understanding the full extent of the intrusion so nothing is left behind, and remediation plans are executed in a planned sequence with verification, patching, and hardening before normal operations resume. Shutting down all networks immediately is not the typical approach; that step is a drastic containment action that can cripple business operations and hinder the careful eradication and restoration work. Evidence preservation and lessons learned are related tasks but align more with investigation/compliance and post-incident review, not the primary aim of eradication and remediation. Therefore, the statement that emphasizes removing the threat and restoring operations in a planned, scope-aware manner best describes this phase.