U.S. Department of Health and Human Services
There is a delicate balance between protecting evidence from an incident and containing an incident to prevent further impact. If evidence is destroyed, it may be difficult to determine the root cause and prosecute the attacker.
Containment strategies vary based on the type of incident. Criteria for determining the appropriate strategy include:
Potential damage to and theft of resources;
Need for evidence preservation;
Service availability (e.g., network connectivity, services provided to external parties);
Time and resources needed to implement the strategy;
Effectiveness of the strategy (e.g., partially contains the incident, fully contains the incident); and
Duration of the solution (e.g., emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution).
Page 5 of 12
Operations and Maintenance Phase