This is largely dependent on the organisation's policies, but what you're talking about is Incident Response (IR), which falls under the umbrella term of Computer Security Incident Management.
The response that is taken usually depends on the type of attack, the known threat actors (if any), and the individual systems or network regions that are known to be compromised. These are important distinctions - you wouldn't take the same actions with a compromised receptionist's workstation as you would a compromised life support system or industrial control system.
The main steps in IR are:
- Alert - Someone notifies the team that a potential breach has occurred.
- Classification - A first level responder performs a preliminary analysis to identify the level of threat, and takes the prescribed IR steps for the class of threat (e.g. normal, critical, etc.)
- Action - Isolation and cleanup of the affected systems, with steps taken to ensure any backdoors are closed and the original hole is patched.
- Investigation - Identification of how the threat appeared, attribution of the attackers, etc.
You can then split these down and rearrange them as they pertain to a particular situation. In some cases, the organisation may be solely interested in recovering and continuing, so the investigation phase is minimal or even skipped. In other cases, legal process may be considered, so special care is taken to provide a strong chain of evidence using tools known to be approved by the local courts. Sometimes the action step doesn't involve cleaning the machine at all, in an attempt to log and monitor the behaviour of the attackers in realtime to gain stronger attribution.
In short: the answer is that it depends on the organisation and the situation. IR is rarely black-and-white.
