A thorough containment and remediation process that stops an entire campaign instead of only solving a symptom of the attack is essential. However, security teams usually provide a specific solution to a very broad problem, leaving ample opportunity for the same attack to re-occur.
The containment and remediation plan must be based on the findings of the security team’s investigation of the incident. Often times, the plan that’s developed relies on information only gathered during the preliminary detection. For example, if a SIEM detected a malicious connection to C2 server, the typical solution would be to kill the process creating the communication and block the IP address in the firewall. But if the malware is persistent, it will reload when the computer reboots, perhaps with a different process name, and communicate with a different server.
The security team then enters an endless loop of detection, containment and eradication for the same threat. On the other hand, if the team was investigating the malware’s techniques and infection vector, it would have a better eradication plan and may have developed a prevention plan.