Initial responses

• System owner
  • if data destruction would matter, shut off the machine
  • might be filesystem corruption with a few files lost
  • however, intruder might run "rm -rf /" upon detection
  • other responses depend on importance of the machine
  • compromised user account doesn't justify server shutdown
• Incident response person
  • disconnect machine from the network very soon
  • there may be a few commands to run before this
  • "very soon" depends on the external impact
  • automatic "rm -rf /" upon disconnect: less relevant issue