Incident containment

10MB

Incident Response Stage 3: Containment.pdf

PDF

Open

What is containment?

More of a strategy than a step

Can change drastically from incident to incident

Must be clearly defined in strategy

Needs finite beginning and end points

Does not have to give 100% guarantee of no unkown exposure

Goals

Containment strategy should aim to do the following:

Assess operational state of affected devices and resources
Minimize or eliminate further spreading of any malware or compromise
Determine immediate steps to take for containment to happen
Protect critical resources and prevent any further damage
Limit scope and define incident specific scope

Assessing operational state of resources

Tools should be deployed, e.g., memory forensics tools, live host-based agents

Ensure the level of operations being affected is known before moving on

Response efforts could negatively affect operations if not assessed and aligned

Minimize the spreading of any threat

Use IoCs identified in the detection phase

Identify extent of threat using IoCs and threat intelligence

Intel could be sourced internally or subscription/external

Isolate systems which are known to be compromised after assessing impact of proposed isolation

Collect memory dumps, hard drive images, network traffic logs and other applicable data

Invoke any cloud services-specific containment tools and protocols as needed

Determine next steps

Shut down affected systems?

Could destroy best evidence
Could break critical operational processes and functions
Likely to alert threat actor to IR activity

Disconnect systems from network but leave running?

Likely to alert threat actor to activity
Could break critical operational processes and functions

Continue memory forensics and study threat actor?

NOT as likely to alert threat actor
Will likely allow threat actor to continue what they're doing
NOT likely to affect any critical operational processes or functions

Ensure scope limiting

Containment at this point should be built around containing known threats and based on known IoCs and malicious behavior

Have a working IoC list that is updated as new IoCs of threat are discovered

Do not let other potential incidents or other distractions take focus from known IoCs and processes

Containment is not a "guarantee" of threat containment. It is an assurance of having followed through with al of the approved containment processes and procedures

Documentation

Ensure documentation details each contained threat and locations where containment happened

The resulting data will be critical for the next phase of eradication

Also useful for lessons learned at the end of the incident

Containment is one of the areas most often adjusted or improved upon after incidents

PreviousIdentification tools and techniques NextDetermining status of infected/affected computing resources

Last updated 1 year ago

hashtagWhat is containment?

hashtagGoals

hashtagAssessing operational state of resources

hashtagMinimize the spreading of any threat

hashtagDetermine next steps

hashtagShut down affected systems?

hashtagDisconnect systems from network but leave running?

hashtagContinue memory forensics and study threat actor?

hashtagEnsure scope limiting

hashtagDocumentation