Understanding the incident isn’t the end — you must stop the bleeding, remove the attacker completely, restore safely, and make sure it can’t happen the same way again.
Why: containment stops the attacker from spreading or doing more damage (isolate hosts, disable accounts, block C2) while you investigate, and only then do you eradicate — remove every foothold — because eradicating too early can miss persistence and destroy evidence. When: contain fast to limit impact; eradicate thoroughly once you understand the full scope. Where: a partial eradication that leaves one backdoor means the attacker simply returns.
CONTAIN (stop the spread, preserve evidence):
isolate affected hosts (network quarantine) · disable compromised accounts
block C2 domains/IPs · revoke exposed keys/tokens
ERADICATE (remove the attacker COMPLETELY, only after scoping):
remove malware + ALL persistence · close the entry vector (patch/config)
reset credentials across the blast radius
Miss one foothold and they're back tomorrow. Scope fully before eradicating.Why: recovery restores normal operations — from known-good backups or rebuilt systems — but only after confirming the threat is gone, and with heightened monitoring to catch a return. When: validate that eradication worked before reconnecting, then restore and watch closely. Where: restoring a backup that predates the compromise (or still contains the backdoor) just reinfects you, so verification is essential.
RECOVER (return to normal, carefully):
[ ] restore from a KNOWN-GOOD backup (predating compromise, verified clean)
— or rebuild from a trusted image
[ ] confirm eradication held before reconnecting to the network
[ ] rotate all potentially-exposed credentials/keys
[ ] heightened monitoring for the attacker's return (they often retry)
[ ] validate business functions end-to-end before declaring "recovered"Why: the final phase turns a painful event into lasting improvement — a blameless postmortem that captures the timeline, root cause, and concrete action items so the same incident cannot recur the same way. When: hold it soon after recovery, while details are fresh; assign owners to every action. Where: skipping this guarantees repetition — the lessons phase is what makes the whole process compound into real resilience.
BLAMELESS POSTMORTEM (within days, while it's fresh):
- full TIMELINE: what happened, when, and how we responded
- ROOT CAUSE: the underlying cause, not just the symptom
- IMPACT: systems, data, users, downtime, cost
- ACTION ITEMS with owners + due dates:
detection gap? -> new rule (Threat Detection course)
entry vector? -> hardening fix (System Hardening course)
slow response? -> update the runbook
Blame the process, not people. The goal is that it can't recur the same way.