Exam Essentials
Containment activities seek to limit the impact of an incident. After identifying a potential incident in progress, responders should take immediate action to contain the damage. They should select appropriate containment strategies based on the nature of the incident and impact on the organization. Potential containment activities include network segmentation, isolation, and removal of affected systems.
Evidence not collected during a response may disappear. Much of the evidence of a cybersecurity incident is volatile in nature and may not be available later if not collected during the response. CSIRT members must determine the priority that evidence collection will take during the containment, eradication, and recovery phase and then ensure that they properly handle any collected evidence that can later be used in legal proceedings.
Identifying attackers can be a waste of valuable resources. Most efforts to identify the perpetrators of security incidents are futile,...