23
Marty Gillespie (mgg@dnaco.net)
Containment
IV
•Consider
removing the system from the subnet
–Consult the system
owner
–Take into account
scope of the incident
•Has the intruder taken
over the system, or just a user account?
•Will removing the
system from the network cause more harm than good?
•Consider level of
expertise of attacker, and duration of time system has been compromised