automated attacks can scan, locate vulnerabilities, penetrate entire networks in minutes.
Stop the spread:
determine affected systems: "fingerprint" of incident to identify other affected systems. same SW (OS or service) likely to be also affected.
deny access: isolate system(s), disconnect networks.
eliminate rogue processes: some disguised or hidden, or restartable, or reinfectable from other systems.
bringing system back to where you know it won't be subverted.
lockout attacker: change all passwords, disable vulnerable services, remove back doors, monitor activities to see if attacker gets in again.
"scrub" the system: all traces of attack removed.
rebuild the system: reinstall, maybe reformat disks. use original media, apply security patches, review local customizations, reload verified data from backups.