Incident Response Execution

When incidents occur, effective response minimizes damage and enables recovery. Understanding response phases—containment, eradication, and recovery—prepares you to take appropriate action under pressure.

Containment Strategies

Containment limits incident scope while investigation proceeds. Different threats require different containment approaches.

Network isolation prevents lateral movement. Blocking compromised host traffic at firewalls or network switches stops attacker progression. The isolated host remains available for investigation while preventing further damage.

Account lockout prevents continued access through compromised credentials. Disabling accounts or resetting passwords interrupts attacker sessions. Scope lockouts appropriately—disabling all domain accounts is rarely necessary.

Process termination stops active malicious activity. Killing malware processes ends their immediate impact. However, this also removes volatile evidence—capture memory first when possible.

Service shutdown affects availability but guarantees attack cessation. Taking applications offline during incidents trades business impact for security certainty. Reserve this option for situations where other containment isn't sufficient.

Eradication

Eradication removes threat presence from the environment. Systematic removal ensures attackers can't simply resume activity after containment lifts.

Malware removal cleans infected systems. Antivirus products remove known malware. Forensic analysis identifies additional artifacts requiring removal. Verification confirms systems are clean.

Persistence mechanism elimination prevents reinfection after reboot. Scheduled tasks, registry entries, startup items, and other persistence locations require review and cleaning.

Credential reset invalidates captured passwords. If attackers obtained credentials, those credentials need changing. Scope credential resets based on investigation findings about what was accessed.

Vulnerability remediation addresses initial access vectors. Patching exploited vulnerabilities, fixing misconfigurations, and improving controls prevents repeat incidents through the same path.

Recovery

Recovery restores normal operations with confidence that threats are eliminated.

System restoration might involve cleaning and returning existing systems or rebuilding from scratch. Clean rebuilds provide higher confidence but take longer. Decision factors include incident severity and restoration speed requirements.

Data restoration from backups recovers destroyed or encrypted data. Backup integrity verification ensures restored data is uncompromised. Sometimes attackers target backups, so careful restoration prevents reintroducing infections.

Monitoring enhancement during recovery catches any remaining attacker activity. Heightened alerting and additional log review validate successful eradication.

Documentation

Throughout response, documentation captures actions and findings. This record supports post-incident review, legal proceedings if necessary, and process improvement.

Timeline creation reconstructs incident progression. When did initial compromise occur? How did attackers move through the environment? When were they detected?

Lessons learned analysis identifies improvements. What could have prevented this incident? What could have detected it earlier? What could have improved response efficiency?