Incident Response : Phases & understanding them better
- Incident response is a living process that changes constantly depending on the situation. 
- Generally there is a failure to understand the difference between containment and eradication. “Many people feel that if you go directly to eradication, we’re essentially achieving containment because we’re eradicating at the same time,”.
- The reason containment exists, Lee says, is that it gives incident response teams time to do proper scoping of the incident. This goes back to the identification phase, which some organizations confuse. The identification phase isn’t about intrusion detection, it’s about determining how bad the cancer is within your organization.
Our sincere thanks to Rob Lee  & SANS