·Ankit Mehta·2 min read

The restart reflex that wrecks a security investigation

incidentssecuritybest-practices

When a server starts behaving strangely, the trained instinct is to restart it. In an outage, that instinct is usually right. It clears the bad state and the service comes back. In a security incident, the same instinct can kill the running process, wipe the logs, and erase the record of what someone was doing inside your system.

The reflex that recovers an outage can ruin a breach investigation. Knowing the difference in the first five minutes is most of the job.

There is a second timeline you cannot see

An outage has one timeline, yours. It starts when the alert fires. A security incident has a second timeline that belongs to someone else, and it started well before your alert did. Your job is not only to stop what is happening now. It is to reconstruct what already happened.

Every time you restart, roll back, or clean up out of reflex, you are deleting parts of that hidden timeline that still live in memory and in logs. You feel productive. You are destroying your own evidence.

Contain before you fix

In an outage you fix and move on. In a breach the first move is containment, not recovery. Isolate the affected host so it cannot reach anything else. Revoke the credentials that might be compromised. Capture the state, the memory, the logs, before you change a single thing.

Only after you have preserved and contained do you start putting things back. At that point it looks like an outage again. The order is the whole point.

You still need a trustworthy record

Both kinds of incident depend on the same backbone, a timeline you can trust and a record of who did what and when. In a breach that backbone is the difference between knowing what was touched and guessing. This is the direction we are taking Vigiles, treating security events as first-class incidents with the same durable timeline as an outage, so you are reading a record instead of arguing from memory.

An outage wants you fast. A breach wants you careful. Confuse the two and you turn one bad day into a much longer one. Start free, or see how incident management works.