Incident containment
PreviousIdentification tools and techniquesNextDetermining status of infected/affected computing resources
Last updated
Last updated
More of a strategy than a step
Can change drastically from incident to incident
Must be clearly defined in strategy
Needs finite beginning and end points
Does not have to give 100% guarantee of no unkown exposure
Containment strategy should aim to do the following:
Assess operational state of affected devices and resources
Minimize or eliminate further spreading of any malware or compromise
Determine immediate steps to take for containment to happen
Protect critical resources and prevent any further damage
Limit scope and define incident specific scope
Tools should be deployed, e.g., memory forensics tools, live host-based agents
Ensure the level of operations being affected is known before moving on
Response efforts could negatively affect operations if not assessed and aligned
Use IoCs identified in the detection phase
Identify extent of threat using IoCs and threat intelligence
Intel could be sourced internally or subscription/external
Isolate systems which are known to be compromised after assessing impact of proposed isolation
Collect memory dumps, hard drive images, network traffic logs and other applicable data
Invoke any cloud services-specific containment tools and protocols as needed
Could destroy best evidence
Could break critical operational processes and functions
Likely to alert threat actor to IR activity
Likely to alert threat actor to activity
Could break critical operational processes and functions
NOT as likely to alert threat actor
Will likely allow threat actor to continue what they're doing
NOT likely to affect any critical operational processes or functions
Containment at this point should be built around containing known threats and based on known IoCs and malicious behavior
Have a working IoC list that is updated as new IoCs of threat are discovered
Do not let other potential incidents or other distractions take focus from known IoCs and processes
Containment is not a "guarantee" of threat containment. It is an assurance of having followed through with al of the approved containment processes and procedures
Ensure documentation details each contained threat and locations where containment happened
The resulting data will be critical for the next phase of eradication
Also useful for lessons learned at the end of the incident
Containment is one of the areas most often adjusted or improved upon after incidents