Online Courses
Cyber Incident Response
Online Courses
Cyber Incident Response
  • Cyber Incident Response
  • Incident Response Fundamentals
    • Introduction to Incident Response
    • Why is incident response needed?
    • Incident Response Phases
    • Business Continuity and Disaster Recovery roles
    • Building an IR playbook
    • Building and IR team
    • Quiz
  • Stages of Incident Response
    • Incident definitions and severity criteria
    • Identifying threats and vulnerabilities
    • Incident Response assets inventory and identification
    • Incident identification
      • Incident Response classification levels
      • Communication/notification of an incident
      • Identification tools and techniques
    • Incident containment
      • Determining status of infected/affected computing resources
      • Containment actions
      • Containment tools and techniques
    • Incident investigation
      • Investigation data sources
      • The role of Digital Forensics
    • Incident eradication
      • Cleanup and verification
      • Notification
      • Eradication tools and techniques
    • Incident recovery
      • Service and System restoration
      • Certification and validation of Business Continuity
      • Recovery and restoration tools and techniques
  • Follow Up / Lessons Learned
    • Assessing the team and processes' effectiveness
    • Implementing improvements
    • Feedback from other teams in the organization
    • Quiz
  • Understanding the Incident Response process and tools quiz
Powered by GitBook
On this page
  • What are appropriate actions?
  • Shutdown
  • Disconnect from the network
  • Leave connected and observe
  • Scope and assessment importance
  1. Stages of Incident Response
  2. Incident containment

Containment actions

What are appropriate actions?

We will examine scenarios for common actions and see what the positive and negative impacts of each may be

Shutdown

Once had a customer do this before we arrived

  • Lost all memory evidence

  • Lost some hard drive evidence

  • Lost a lot knowledge of what the threat actors were doing

Same situation, different outcome

  • Threat actors were done exfiltrating and had planted a self-destruct piece of malware

  • Shutting down immediately stopped it from executing and allowed for a backup of the hard drive, etc, before the logic bomb could kick off

Disconnect from the network

Once had a customer do this ahead of time

  • Killed a critical company-wide global trading application

  • CFO said amount of money lost was unimaginable

Same situation, different outcome

  • Threat actors had begun an exfiltration operation

  • Appeared to be getting everything

  • The act of disconnecting that group of servers stopped them before they got to any customer data

Leave connected and observe

Advised customer to allow us to observe and hunt for 72 hours

  • Discovered that the "compromised" machines were only compromised to distract

  • Real objective was data on a completely different segment of the network previously unkown to be accessed

  • End result: We found the threat actor's true objective, which led to more complete eradication

One organization followed this process for two weeks

  • It was during that two weeks that the threat actors took the most important data

Scope and assessment importance

Previous examples show how varied specifics can be

Proper assessment and scoping helps

  • Discourages minimizes heroics and shotgun decisions

  • Keeps the whole team focused and on-mission

PreviousDetermining status of infected/affected computing resourcesNextContainment tools and techniques

Last updated 8 months ago