Responding to an Incident

Knowing in advance the steps you will need to follow when responding to an incident will make you better prepared for the task when it arises. Outlining the steps in a plan or procedure that can be quickly and easily followed will lessen the chance that crucial pieces of data are overlooked.

When responding to an incident, never lose sight of the primary goal. If that goal is to restore control of the system as quickly as possible, you should not spend an inordinate amount of time gathering evidence. If the goal is to limit the extent of the damage while possibly pursuing the attacker, make sure to create images, backups, and a chain of custody to develop a solid set of evidence. A best practice is to have a redundant ...

Get Intrusion Detection with Snort now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.