22.5 Summary

In this chapter, we looked at the procedures that you should follow in the event that you suffer a break-in.

The most important thing to do is to have an objective and a plan of action. Do you want to get your computer operational as fast as possible, or do you want to collect evidence for prosecution? Do you hope that you are lucky? Do you want the attacker to go away and leave you alone? It's best to have answers to these questions formulated before you suffer an attack, rather than try to come up with answers while you are under pressure.

More important than confronting the intruder is figuring out how to clean up after the fact. How did the intruder get in? Find out. Document. Close the hole. If you don't, you're sure to have more intruders in the future.

Finally, if you can do it, report the intrusion and share your documentation with others. We know that attackers work together: they exchange tips, techniques, and tools. Defending against these well-networked attackers will take an equally effective network of security professionals.