# Determining status of infected/affected computing resources ## What next? * Examine inventory of affected devices and resources * Start forensics to see if there are signs of exfiltration * Look for anti-forensics measures * Look for any signs of credential harvesting and horizontal movement ## Malware Remember, some malware changes its characteristics from one device to the other Look for patterns of behavior instead of focusing too much on certain ports, executable names, etc. Be sure to revisit any threat intel concerning any discovered malware * Some behavior may not be apparent early on ## Group devices Make sure you separate devices that are known to be compromised versus the ones likely to have been compromised Prioritize known devices and record their state in detail Treat cloudbased devices as you would others ## Contained Continue all containment activities until all known compromised devices are contained Continue to move likely candidates from "likely" to either "compromised/infected" or "not compromised/infected" Once all devices or segments have been categorized and all compromised devices meet the organization's definition of containment, that phase is over * Remember, this is not a guarantee --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidjosearaujo.gitbook.io/online-courses/cyber-incident-response/stages-of-incident-response/incident-containment/determining-status-of-infected-affected-computing-resources.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.