automated attacks can scan, locate vulnerabilities, penetrate entire networks in minutes.
Stop the spread:
determine affected systems: "fingerprint" of incident to identify
other affected systems. same SW (OS or service) likely to be also
affected.
deny access: isolate system(s), disconnect networks.
eliminate rogue processes: some disguised or hidden, or restartable,
or reinfectable from other systems.
Regain control:
bringing system back to where you know it won't be subverted.
lockout attacker: change all passwords, disable vulnerable services,
remove back doors, monitor activities to see if attacker gets in
again.
"scrub" the system: all traces of attack removed.
rebuild the system: reinstall, maybe reformat disks. use original
media, apply security patches, review local customizations, reload
verified data from backups.