5 Steps Incident Response
Analyzing all relevant data (Network Traffic, logs, firewall, etc.) to confirm that an incident took place. Then classify the incident based on adverse event that compromises some aspects of computer or network security
The objective of the containment phase is to contain any damage and prevent further harm to the network. This can be done by disconnecting any infected systems to isolating it from the network or by stopping a service.
You must first remove any evidence from the network by making forensic images of the impacted systems in accordance to the chain of custody best practice. Your main aim is to remove the threat from the Network
Recovery involves reformatting and reloading the systems, applying the appropriate patches and restoring the data from a known good backup. Recovery can also include changes to the network security architecture.
Conduct a “lessons learned” session to learn more about the actual incident and the overall experience. The feedback of the session will provide you with the opportunity to improve the overall security posture of the organization. This can be done by updating security policies and procedures and operations to mitigate the likelihood of the incident from happening again.