Online Courses
Cyber Incident Response
Online Courses
Cyber Incident Response
  • Cyber Incident Response
  • Incident Response Fundamentals
    • Introduction to Incident Response
    • Why is incident response needed?
    • Incident Response Phases
    • Business Continuity and Disaster Recovery roles
    • Building an IR playbook
    • Building and IR team
    • Quiz
  • Stages of Incident Response
    • Incident definitions and severity criteria
    • Identifying threats and vulnerabilities
    • Incident Response assets inventory and identification
    • Incident identification
      • Incident Response classification levels
      • Communication/notification of an incident
      • Identification tools and techniques
    • Incident containment
      • Determining status of infected/affected computing resources
      • Containment actions
      • Containment tools and techniques
    • Incident investigation
      • Investigation data sources
      • The role of Digital Forensics
    • Incident eradication
      • Cleanup and verification
      • Notification
      • Eradication tools and techniques
    • Incident recovery
      • Service and System restoration
      • Certification and validation of Business Continuity
      • Recovery and restoration tools and techniques
  • Follow Up / Lessons Learned
    • Assessing the team and processes' effectiveness
    • Implementing improvements
    • Feedback from other teams in the organization
    • Quiz
  • Understanding the Incident Response process and tools quiz
Powered by GitBook
On this page
  • What next?
  • Malware
  • Group devices
  • Contained
  1. Stages of Incident Response
  2. Incident containment

Determining status of infected/affected computing resources

What next?

  • Examine inventory of affected devices and resources

  • Start forensics to see if there are signs of exfiltration

  • Look for anti-forensics measures

  • Look for any signs of credential harvesting and horizontal movement

Malware

Remember, some malware changes its characteristics from one device to the other

Look for patterns of behavior instead of focusing too much on certain ports, executable names, etc.

Be sure to revisit any threat intel concerning any discovered malware

  • Some behavior may not be apparent early on

Group devices

Make sure you separate devices that are known to be compromised versus the ones likely to have been compromised

Prioritize known devices and record their state in detail

Treat cloudbased devices as you would others

Contained

Continue all containment activities until all known compromised devices are contained

Continue to move likely candidates from "likely" to either "compromised/infected" or "not compromised/infected"

Once all devices or segments have been categorized and all compromised devices meet the organization's definition of containment, that phase is over

  • Remember, this is not a guarantee

PreviousIncident containmentNextContainment actions

Last updated 8 months ago