In this chapter, we looked at the procedures that you should follow
in the event that you suffer a break-in.
The most important thing to do is to have an objective and a plan of
action. Do you want to get your computer operational as fast as
possible, or do you want to collect evidence for prosecution? Do you
hope that you are lucky? Do you want the attacker to go away and
leave you alone? It's best to have answers to these
questions formulated before you suffer an attack, rather than try to
come up with answers while you are under pressure.
More important than confronting the intruder is figuring out how to
clean up after the fact. How did the intruder get in? Find out.
Document. Close the hole. If you don't,
you're sure to have more intruders in the future.
Finally, if you can do it, report the intrusion and share your
documentation with others. We know that attackers work together: they
exchange tips, techniques, and tools. Defending against these
well-networked attackers will take an equally effective network of