What is one of the first actions you should take in the containment phase of incident handling?

Last Updated on February 9, 2022 by Admin 2

What is one of the first actions you should take in the containment phase of incident handling?

  • Provide the system administrator with input regarding disconnecting the system from the network, but leave the decision up to them
  • Provide management with incident details so they can decide whether or not to disconnect the system
  • Decide whether to remove the system from the network via a team vote. Be sure to include all involved
  • Leave the system on the network in order to watch the attacker and collect evidence
Explanation: 
You may have strong feelings about leaving the system on the network to catch the intruder, or getting it unplugged to contain the incident, but the decision always comes down to management. Be sure to provide them with input for both sides of the argument, but they will make the call.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments