Definition[edit | edit source]

The incident response process

has four steps: preparation, detection and analysis, containment or eradication and recovery, and post-incident activity. Preparation includes building malware-related skills, improving communications, and acquiring the necessary tools and resources. Detection and analysis involves analyzing incidents and validating that malware is the cause, identifying which hosts are involved, and prioritizing incident handling. Containment includes stopping the spread of malware and preventing further damage; eradication removes malware from infected hosts; and recovery involves restoring functionality and removing containment measures. Finally, post-incident activity consists of conducting a comprehensive assessment of lessons learned.[1]

References[edit | edit source]

  1. Information Technology Laboratory, "ITL Publishes Guidance on Preventing and Handling Malware Incidents" 2 (Sept. 2013) (full-text).
Community content is available under CC-BY-SA unless otherwise noted.