As the full-incident response team assembles, they move from the isolation and quarantine strategy used by first responders into a full-incident mitigation mode designed to control the damage and loss caused to the organization by performing a full range of incident containment activities. In this video, Mike Chapple explains the process of incident mitigation, including damage and loss control.
- [Instructor] As the full incident response team assembles, they move from the isolation and quarantine strategy used by first responders into a full incident mitigation mode. The goal of this next step is controlling the damage and loss caused to the organization by performing a full range of incident containment activities. The nature of those activities will vary based upon the severity of the incident. The National Institute for Standards and Technology suggests six criteria that responders may use when evaluating a potential containment strategy. First, they should look at the potential for damage and theft of resources. Second, they should look at the need for evidence preservation and the effect that the strategy might have on the ability to preserve evidence. Third, they should look at service available requirements and the impact of a containment strategy on that availability. Fourth, they need to look at the time and resources required to implement the strategy. Fifth, the expected effectiveness of the strategy. Will it fully contain the incident, or is it only a partial fix? And finally, they need to look at the length of time that the solution will remain in place. Organizations can use these criteria to help choose between different containment options. The goal is to select a containment strategy that balances the business needs of the organization with the security objectives of incident response. This is a tricky balance to strike and there are no certain answers. Incident responders will always need to use their best judgment, and when possible, seek input from management and other stakeholders. Once an organization begins implementing containment actions, responders must keep in mind that the attacker will likely detect those actions and know that investigators are on the trail. This may cause the attacker to speed up their activities, destroy evidence, or perform other actions that are detrimental to the incident response or the organization's business. At the end of the containment process, the organization should be in a semi-stable state. Responders should be confident that the incident is over and that there is no immediate danger to the organization. Business operations should be functioning at least on a limited basis, although they may be using temporary workarounds. Everything is generally okay, and the organization is ready to move on to the next step of the process, recovery and reconstitution.
We are a CompTIA Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.