Containment and eradication eliminate the threat. Malware can be quarantined or disabled. The incident response team must quickly examine networks, apps, and systems for malicious or unusual activities to find the problem. These methods reduce incident damage, eliminate the source, and restore damaged systems and data to a pre-incident state. Failure to contain and destroy an event can cause further disruption, losses, and organizational harm. Incident containment entails promptly isolating affected systems and services to minimize damage and interruption. Containment isolates compromised systems and data to prevent further damage. Disconnecting affected systems from the network, disabling user credentials, or restricting data access are examples.
Containment must identify infection and dissemination routes. The incident should be assessed on networks, systems, and services. Systems should be isolated and shut down. The incident response team should promptly identify and isolate the problem and any exploited entry points or vulnerable systems.
After containment, the incident response team can begin eradication and recovery. Eradication eliminates the cause. Fixing vulnerabilities, malware, and misconfigurations may be needed. Restoring systems and data is recovered. Examples include restoring backups, reinstalling software, or rebuilding systems. Recovery depends on the incident’s severity and nature. Severe incidents may necessitate reinstalling systems, restoring backup data, altering security measures, or reinstalling applications. The recovery process should also restore any deficient or missing security controls.