After this lesson, you will be able to: Apply short- and long-term containment, remove threats fully, and preserve forensic evidence in the process.
Once you know there's an incident, your next decisions matter most. Move too fast and you destroy evidence. Too slow and the attacker spreads. This lesson covers the calculus.
Short-term, stop the immediate damage (isolate host from network, disable account, kill process). Long-term, prevent re-entry while you investigate (firewall rules, credential resets, segmentation). Don't skip straight to nuke-and-pave, without the long-term step, the attacker often returns through the same door.
Remove malware, persistence mechanisms (scheduled tasks, registry keys, cron jobs), backdoor accounts. Rotate all credentials the attacker may have touched. Patch the vulnerability that let them in, otherwise the next attacker walks through it. Re-image rather than 'clean' when possible.
Containing only what's been confirmed compromised, the attacker is usually further than you think. Forgetting non-Windows systems (Linux, cloud, SaaS). Resetting only one user when others were touched. Eradicating malware but leaving the attacker's persistence (a new scheduled task, a webshell file).
Choose the right call.
Sign in and purchase access to unlock this lesson.