Contain the Incident

Logically, containing the incident should be the first step in responding to a security incident. However, due to the cost of having systems or data unavailable and due to the time and effort involved, this step is often postponed until services and data are restored. Restoring data and services prior to understanding the cause of the problem can result in the problem reoccurring . This may turn into a lengthy process of repeatedly restoring the system until the problem is isolated. For most system administrators, this is the most interesting part of the problem.

Isolate the System

Close the machine to outside access. Remove the network connection to the machine and any other remote connections that can be used to provide access to the intruder. Remember, if the intruders sense that you are on to them, they may try to cover their tracks by destroying the file system of the machine.

Containment involves limiting the incident to those systems and data that have already been compromised. Minimizing the impact of an incident has to be the primary goal of any response plan and should be put into motion immediately.

Secure the System

Securing the system is composed of two parts : determining the cause and repairing the problem to avoid reoccurrence. Determining the cause can take a considerable amount of time and resources. Quite often the exact cause will not be able to be determined; rather, a list of possible causes will develop. In this case, all of these possible causes need to be addressed and all the related problems repaired.

Check the system for automated processes that do not belong on the system, such as processes set up to run automatically at a certain time or upon a specific alarm condition. Lock out all accounts that will not be used in the course of the investigation. All passwords will have to changed on the system prior to resumption of normal activity. If a passworded account may have been the source of the attack, change the passwords on all the other accounts which that user has on other systems or lock out the accounts to prevent possible abuse of the password elsewhere. Identify all files that have been modified or created in the time window in which the breach occurred. Check particularly for any modifications to files that control logins, trusted host access, and file system sharing or exporting.

If you are planning to restore services or data prior to determining cause, it is best to take a complete "image" backup, including the entire disks, not just the files on the disk, so the cause can be determined at a later time.

Eradication is the removal of the cause of the incident. All systems affected must be examined for evidence of the incident. Any changes must be corrected and the system returned to its normal configuration. Additionally, any backup media of the affected systems should be examined to determine their state. Eradication involves a complete review of the system and may be time-consuming . Security tools may be used to speed the process.

Document Everything

The importance of documenting every step you take in recovery cannot be overstated. Recovering from a security incident can be a hectic and time-consuming process in which hasty decisions are often made. Documenting the steps you take in recovery will help prevent those hasty decisions and will give you a record of all the steps you took to recover, which will be useful for your future reference. Documenting the steps you take in recovery also may be useful if there is a legal investigation.

Documentation is critical to effective resolution and post-incident review of a security incident. The documentation should include the activities of the intruder as well as the activities of those who are attempting to repair the damage. Much documentation which is collected by automated systems can be very useful in the case of a security incident. However, it requires condensing and interpreting to isolate the information that is specific to the security incident and to make it comprehensible to those who need to be informed about the incident.