During incident handling, system owners and others sometimes want to or need to identify the attacking
host or hosts. Although this information can be important, incident handlers should generally stay focused
on containment, eradication, and recovery. Identifying an attacking host can be a time-consuming and
futile process that can prevent a team from achieving its primary goal – minimizing the business impact.
The following items describe the most commonly performed activities for attacking host identification: