Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.4  Intrusion Detection
           9  3.4.4  Incident Response

Previous Topic/Section
Role of IDS in Incident Response
Previous Page
Pages in Current Topic/Section
Next Page
Reporting Incidents to Third Parties
Next Topic/Section

Six-Step Incident Response Process

The NSWC Dahlgren Computer Security Incident Handling Guidelines345 describe incident response as a six-step process:

  1. Preparation: Setting up systems to detect threats and policies for dealing with them, including identifying roles staff will play in incident response, and creating emergency contact lists.

  2. Identification: Identifying what the threat is, and/or the effects it is having on your systems/networks, including keeping records of the time/systems involved/what was observed, and making a full system backup as soon after the intrusion was observed, as possible, to preserve as much information about the attack as you can.

  3. Containment: Limiting the effects of an incident by confining the problem to as few systems as possible, freezing the scene so that nothing further happens to the compromised system(s) by disconnecting its network connections and possibly console keyboard.

  4. Eradication: Getting rid of whatever the attacker might have compromised by deleting files or doing a complete system reinstall – we cannot stress enough that you should err on the side of deleting MORE rather than less in order to restore a system to production, since the intruder may have left very-well-disguised Trojan Horse binaries around the system, to be activated once the system is reconnected to the Internet.

  5. Recovery: Getting back into business, by putting the system back into normal operations, reconnecting it to the network, restoring from backups if necessary, etc.

  6. Follow-up: If possible, tightening security so that the intrusion cannot happen again, determining the “cost” of the intrusion based on staff time/lost data/lost user work time (don’t skip this! It may help justify security expenditures in the future), considering which, if any, additional tools might have helped handle the incident better than it may have been handled, reflecting on “lessons learned” from both the intrusion and the organization’s response to it and tweaking policies as required.

SANS offers an incident response publication dealing with these 6 major phases, in detail346.

The very first thing to do is to secure access to the involved devices, to protect against further damage and to assist with preservation of evidence. The critical theme is to not destroy evidence by changing anything! Legal cases have been hampered, and even destroyed, by well-meaning system administrators “doing the wrong thing” in the name of “preservation of evidence.” Report any suspicious incidents to upper management.

Incident Response: Step-by-Step

The six steps to incident response are preparation, threat identification, containment, eradication, recovery, and follow-up.

When an incident is detected, the first thing to do is secure access to the involved devices through actions like unplugging them from the network, locking any involved terminals or systems, etc. Be careful not to destroy evidence by changing anything, in case the incident is eventually taken to the courtroom.

Also be sure to report any suspicious incidents to upper management. They need to know when intrusions have occurred, particularly if financial aspects of the business may be affected.

Incident Response Planning

Does your organization have a computer security incident response policy? If so, do you know what it is? If not, consider sketching one out and seeking approval for it so that you know in advance what to do, if you need to react on short notice someday. As noted above, a helpful guide to incident response, to help get you started in planning for it, can be found at SANS. Again, we can’t stress enough that you should think about this in advance, in order to be best prepared to respond in ways that help get things back to “business as usual” as quickly as possible in a way that doesn’t destroy important evidence, and which enables you to understand the threat you faced, so that you can better protect yourself against similar threats in the future.


345. “NSWC Dahlgren Computer Security Incident Handling Guidelines”,, February, 2002.


Previous Topic/Section
Role of IDS in Incident Response
Previous Page
Pages in Current Topic/Section
Next Page
Reporting Incidents to Third Parties
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.