Following best practices for security incident response is so important that the general steps have been codified by NIST, replicated here:

NIST-incident-response-lifecycle1057

The simplicity of the diagram hides many of the challenges facing security incident responders:

  • Preparation requires incident response professionals to study and track all the assets they are protecting.
  • Detection and Analysis requires coordination among many team members, each with subject-matter expertise on one or more “commercial-off-the-shelf” (COTS) products and solutions.
  • Containment, Eradication and Recovery requires that detection and analysis approaches are 100% successful, which is particularly hampered by the ways in which advanced malware can hide, sometimes for weeks or months, on infected hosts.
  • Post-incident Activity involves tuning procedures and shoring up defenses, all of which can be expensive or controversial.
LookingGlass on Bing