Incident response process

Definition
The incident response process

"has four steps: preparation, detection and analysis, containment or eradication and recovery, and post-incident activity. Preparation includes building malware-related skills, improving communications, and acquiring the necessary tools and resources. Detection and analysis involves analyzing incidents and validating that malware is the cause, identifying which hosts are involved, and prioritizing incident handling. Containment includes stopping the spread of malware and preventing further damage; eradication removes malware from infected hosts; and recovery involves restoring functionality and removing containment measures. Finally, post-incident activity consists of conducting a comprehensive assessment of lessons learned."