Summary

This chapter started by making a case for using an incident response methodology. Deploying this kind of methodology can impose structure and organization, result in greater efficiency, facilitate an understanding of the process of responding to incidents, enable those who use a methodology to better respond to unexpected events, and help in dealing with legal issues.

This chapter has presented the PDCERF methodology, one of several possible methodologies, but one that is very time proven and well accepted. The first stage is preparation for dealing with an incident. The second is detection ‚ identifying that an incident has occurred or is occurring. The third is containment ‚ limiting the potential that an incident will spread. The fourth stage is eradication of the cause of the incident, and the fifth stage is recovery, returning any compromised systems, applications, databases, and so forth back to their normal mission status. The sixth and final stage involves follow-up activity, including reviewing the incident, deriving lessons learned, and gathering loss statistics for management and law enforcement purposes. Using an incident response methodology does not guarantee success, and incidents seldom go by the book. A methodology works only if it is customized according to an organization's needs.