Incident Response Lifecycle Contain
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
3 hours 54 minutes
okay, the next step in our life cycle processes we want to contain. And by that we want to make sure that this activity, whatever the source of the incident is, doesn't spread to other computers that are currently unaffected. All right, so when we talk about containing
we look for two steps, we want a triage and then we wanna isolate.
So when we talk about triage, we want to get a good understanding of what's going on. There might be multiple incidents happening or multiple scenarios playing out in front of us. So when we talk about triage, we're going in. And we're trying to figure out which the incidents are,
Uh, which of the events or activities
is the most severe, which is causing the greatest damage so ultimately were shorting. We're categorizing. And essentially we're prioritising the various events that are going on so that we can direct our efforts at those events causing the greatest damage.
And again, that kind of goes back to criticality so you can think about triage
as shorting the ongoing events based on their credit count. Again, we're looking to direct your attention to those areas where we suffer the greatest loss first. OK, so we take what we know and then we prioritise. Er it doesn't mean that we know everything. We're not spending all our time here,
but we're trying to get a quick understanding of where we need to direct our efforts first
and again. It's all about criticality
prioritizing based on criticality. That's triage. Now, once we triage and we have a sense of where we're going to direct our efforts and where we have potentially have the greatest balls, we wanna isolate those affected systems and try to keep them away from the rest of the network and the rest of the environment.
Now, I want to be very careful here because we want to isolate the infected system. We want to ideally protect the rest of the network. But their steps that we have to take when we do us like this system, especially if we're looking to collect evidence in such a manner that was being permissible in court or admissible in court.
So we don't want to just run around unplugging computer systems.
Certainly that will limit the amount of damage on that system that will stop the network based attack. But it will also erase all the evidence that's in RAM. That might be in registers or cash or whatever that may be
again. This is why preparation is so very important that we have the procedures outlined, step by step, what is acceptable to do and what is not.
You know, usually, when we talk about isolating system, we're talking about pulling it off the network, not unplugging but pulling not power and down the system, but pulling the network cable, isolating it. If it's a set a segment, it's a group of computers isolating that computer or those computers.
Maybe unplugging that segment from the router or the V lan,
whatever that means, that whatever may need that happen, we wanna limit limit the damage. Obviously, that this attack has and one of the ways is toe isolate. There's effective systems and ideally contain the activities