Harlan Carvey has written an interesting article examining misconceptions around incident response - specifically how you deal with a security breach. Like Harlan I've heard many people advocate booting a compromised machine off a LINUX boot disk to perform forensics - there are many drawbacks with this approach as you can read in the article. Getting to the root cause of the compromise is something which is often overlooked in the rush to restore service to the business. Like most things planning HOW you will recover IN ADVANCE is well worth the effort.
You can read Harlan's article by clicking here. Please post comments to share your experience.