Response Step 4The technical steps required to respond to any attack are essentially the same, no matter what the business or what the purpose of the attacked system.
Stop It: An infected system needs to be taken off the Internet immediately to prevent further spread.
Learn From It: Before you clean up an infected system, find out how it was compromised. Log files are a big help in detecting what happened. System snapshot tools also can be extremely useful.
Remove It: After youve figured out how a system was compromised, you need to remove worms or exploit programs and possibly even wipe the system clean. Some worms can be removed by deleting a single file, but others infect a large number of files on a system. Look to the Web sites of security vendors and organizations such as The SANS Institute for detailed information on removing worms or security holes.
Fix It: Patches must be applied or workarounds implemented to prevent future attacks.
React to It: The toughest part is dealing with the internal management and external agencies involved. Draft a written policy on how intrusions will be handled and who should be notified after one takes place. Next Page: Step 5: Vigilance
Responding to security breaches involves not only stopping attacks but also learning from the experience to prevent future attacks.