Defensive perspective
From the defensive side, this section will cover expelling the attacker from the machine or restricting their general access. Defenders can start by killing the processes where attackers live and eliminating backdoors they have on the victim systems. We will also cover broad controls like blocking egress traffic or killing the attacker's network access. Finally, we will look at some techniques for locking down or restricting other non-privileged users on the system.
In some cases you need to allow user-level access, and some of those users may even become compromised, but by applying certain restrictions you can effectively quarantine users or processes on the same system. The attacker can also leverage many of these techniques to lock a defender out of their own systems, but the defender almost always has the advantage in that situation. Ultimately, the principle of physical access states whoever physically owns the device can unplug it, perform dead...
