Cyber Incident Response

Incident containment

10MB
Incident Response Stage 3: Containment.pdf
pdf

What is containment?

More of a strategy than a step

Can change drastically from incident to incident

Must be clearly defined in strategy

Needs finite beginning and end points

  • Does not have to give 100% guarantee of no unkown exposure

Goals

Containment strategy should aim to do the following:

  • Assess operational state of affected devices and resources

  • Minimize or eliminate further spreading of any malware or compromise

  • Determine immediate steps to take for containment to happen

  • Protect critical resources and prevent any further damage

  • Limit scope and define incident specific scope

Assessing operational state of resources

Tools should be deployed, e.g., memory forensics tools, live host-based agents

Ensure the level of operations being affected is known before moving on

Response efforts could negatively affect operations if not assessed and aligned

Minimize the spreading of any threat

Use IoCs identified in the detection phase

Identify extent of threat using IoCs and threat intelligence

  • Intel could be sourced internally or subscription/external

Isolate systems which are known to be compromised after assessing impact of proposed isolation

Collect memory dumps, hard drive images, network traffic logs and other applicable data

Invoke any cloud services-specific containment tools and protocols as needed

Determine next steps

Shut down affected systems?

  • Could destroy best evidence

  • Could break critical operational processes and functions

  • Likely to alert threat actor to IR activity

Disconnect systems from network but leave running?

  • Likely to alert threat actor to activity

  • Could break critical operational processes and functions

Continue memory forensics and study threat actor?

  • NOT as likely to alert threat actor

  • Will likely allow threat actor to continue what they're doing

  • NOT likely to affect any critical operational processes or functions

Ensure scope limiting

Containment at this point should be built around containing known threats and based on known IoCs and malicious behavior

Have a working IoC list that is updated as new IoCs of threat are discovered

Do not let other potential incidents or other distractions take focus from known IoCs and processes

Containment is not a "guarantee" of threat containment. It is an assurance of having followed through with al of the approved containment processes and procedures

Documentation

Ensure documentation details each contained threat and locations where containment happened

The resulting data will be critical for the next phase of eradication

Also useful for lessons learned at the end of the incident

  • Containment is one of the areas most often adjusted or improved upon after incidents

PreviousIdentification tools and techniquesNextDetermining status of infected/affected computing resources

Last updated