Chapter 24 Incident Containment

to minimize impact of incident.
speed so fewer systems affected and easier to repair damage.

automated attacks can scan, locate vulnerabilities, penetrate entire networks in minutes.

Stop the spread:
determine affected systems: "fingerprint" of incident to identify other affected systems. same SW (OS or service) likely to be also affected.
deny access: isolate system(s), disconnect networks.
eliminate rogue processes: some disguised or hidden, or restartable, or reinfectable from other systems.

Regain control: bringing system back to where you know it won't be subverted.
lockout attacker: change all passwords, disable vulnerable services, remove back doors, monitor activities to see if attacker gets in again.
"scrub" the system: all traces of attack removed.
rebuild the system: reinstall, maybe reformat disks. use original media, apply security patches, review local customizations, reload verified data from backups.