27.2. What to Do After an Incident
There are a variety of things you'll need to take care of after
you finish responding to an incident. Don't relax just yet.
First and foremost, you want to figure out what happened and how to
keep it from happening again. Now is the time to examine the snapshot
you made of your system before you started the recovery process. When
you've figured out what happened, you obviously want to take
steps to keep it from happening again. You also need to think about
anything you or others did during the response (for example, enabling
or disabling certain software) that now needs to be undone, fixed, or
documented and made permanent.
In addition to analyzing the incident, this is the time to analyze
your response to the incident. In this phase, it's important to
concentrate on critiquing the response, not on assigning blame for
the original incident. Don't be confrontational but talk to any
folks involved with, or affected by, the response. With them, try to
determine what you did right, what you did wrong, what worked and
didn't work, what other tools or resources would have helped,
how to respond better next time, and what you've all learned
from the experience.
If you made "incident in progress" notifications to
various people and organizations, now is probably the time to tell
them that the incident is over. Be sure to follow up with appropriate
information about what happened, how you responded, and how you plan
to keep it from happening again.
| | |
27. Responding to Security Incidents | | 27.3. Pursuing and Capturing the Intruder |