Incident response basics

Topic: Security basics

When a security incident occurs, contain impact, preserve evidence, eradicate the cause, and recover. Have a plan and roles defined in advance; use runbooks for common scenarios. Use this when building or executing an incident response process.

Intent: How-to

Quick answer

  • Contain: limit further damage (isolate host, revoke credentials, block IP). Do not destroy evidence; take memory and disk images if needed before reimaging.
  • Preserve: collect logs, timelines, and artifacts; store in a safe place. Document what you did and when so the timeline is clear for later analysis or legal.
  • Eradicate and recover: remove the cause (malware, backdoor, weak config); patch and harden; restore from clean backup if needed. Then review and update controls to reduce recurrence.

Prerequisites

Steps

  1. Detect and classify

    Confirm it is a security incident (not a normal failure). Classify severity and scope (single host, account, network). Assign an incident lead and start a timeline log.

  2. Contain

    Stop the spread: revoke compromised credentials, isolate affected systems, block malicious IPs or domains. Preserve evidence (logs, snapshots) before reimaging or wiping.

  3. Eradicate and recover

    Remove the cause: patch, remove malware, fix misconfig. Restore from known-good backup if necessary. Harden so the same vector cannot be used again.

  4. Post-incident

    Document what happened, what was done, and what was learned. Update runbooks, detection, and controls. Share lessons (blameless where appropriate) so the organization improves.

Summary

Contain impact, preserve evidence, eradicate the cause, and recover. Have a plan and runbooks; document the timeline and lessons. Use this to respond to security incidents in a structured way.

Prerequisites

Steps

Step 1: Detect and classify

Confirm the incident; classify severity and scope. Assign a lead and start a timeline.

Step 2: Contain

Revoke credentials, isolate systems, block malicious traffic. Preserve evidence before making destructive changes.

Step 3: Eradicate and recover

Remove the cause; patch and harden; restore from clean backup if needed. Prevent the same vector from working again.

Step 4: Post-incident

Document cause, response, and lessons. Update runbooks and controls; share learnings.

Verification

Incident is contained and resolved; evidence is preserved; cause is addressed; runbooks and controls are updated.

Troubleshooting

Unknown scope — Assume broader compromise until proven otherwise; revoke and isolate, then narrow. No runbook — Follow contain, preserve, eradicate, recover; write a runbook after the incident.

Next steps

Continue to