1) Be prepared for incident response. You must have tools, techniques, team members and training all completed before you respond to the computer incident. Also, corporate policies, procedures and guidelines for response need to be in place.
2) Properly identify the incident. Is the event simply an unusual activity, or can you identify it as suspicious? If so, what are the surrounding activities? Are there multiple reports of issues on the network, or is it confined to one machine or location? Some of the areas to check include suspicious entries in system or network accounting, unexplained new user accounts and unexplained new files.
3) Contain the incident and its effects. Change passwords for elevated privilege accounts and review computer trust relationships as fast as possible when an incident is identified. Protect and, where possible, keep the critical information resources available to the primary users.
4) Remove the issue as soon as is realistically possible. Possibly ensure and run your antivirus and antispamware programs. Review and potentially rebuild the operating system software. Remove the infected software utilizing approved removal software.
5) Return the infected system to operational use as soon as feasible. Remember there are two areas of focus for incident response: recovery and, potentially, prosecution.
6) Follow up with responders for improvements to the process. Check with the operational staff in areas where data or information was compromised.
PS: Leighton Johnson, CISA, CISM, CISSP, CIFI, is a senior security consultant for the Information Security & Forensics Management Team.