Containment aims to stop attackers immediately and prevent further damage to the organization. The IRT should prioritize creating backups and imaging to preserve evidence, which includes securing:
Various actions can be taken during containment, depending on the specific incident, such as:
These containment measures are crucial for quickly neutralizing the threat, allowing the IRT to proceed to the eradication phase.
Once containment is successfully executed, the IRT can proceed to the eradication phase, also known as the remediation phase, where the objective is to eliminate the attackers’ artifacts.
Quick options for eradication include:
It’s essential to remember that restoring or rebuilding may reverse any changes made during containment, necessitating those adjustments to be reapplied. In some cases, the IRT may need to manually remove the artifacts left by the attackers.
The goal for the IRT is to restore normal operations, which may require acceptance testing from business units. Ideally, monitoring solutions should be implemented to track the incident, helping to detect any return of attackers due to artifacts that were not fully removed during eradication.
The final phase focuses on extracting lessons from the incident, which may include questions like:
This lessons-learned phase usually culminates in a report that provides an executive summary and an overview of the incident.
