Lesson Progress
0% Complete

Initial Triage
Interview key individuals
Notify internal management chain (preliminary)
Determine if illegal activity is involved
Determine if inappropriate internal involvement
Ensure appropriate evidence collection and preservation

Collect volatile system data
Select initial containment strategy
Create backups of affected systems
Disconnect compromised systems
Analyze intruded systems
Analyze network traffic for signs of intrusion
Analyze application data for signs of intrusion
Research current attack intelligence and recent vulnerabilities
Look for signs of network sniffers
Look for modifications made to system software and configuration files
Look for tools and data left behind by the intruder
Determine an appropriate eradication or recovery strategy
Update internal management team as appropriate (assessment)

Notify legal counsel of any illegal or inappropriate activity
Notify constituents (status update)
Notify external parties as appropriate
Notify law enforcement
Recover affected systems
Harden and/or patch all other vulnerable systems
Remove temporary containment measures
Notify computer security organizations and resources
Notify HR
Notify public relations department
Review and respond to contractual obligations related to intrusion or loss of service

Notify internal management chain (resolution)
Notify constituents (resolution)
Properly dispose of incident information
Post-incident review
Generate incident report
Update policies and procedures