Incident containment
What is containment?
More of a strategy than a step
Can change drastically from incident to incident
Must be clearly defined in strategy
Needs finite beginning and end points
Does not have to give 100% guarantee of no unkown exposure
Goals
Containment strategy should aim to do the following:
Assess operational state of affected devices and resources
Minimize or eliminate further spreading of any malware or compromise
Determine immediate steps to take for containment to happen
Protect critical resources and prevent any further damage
Limit scope and define incident specific scope
Assessing operational state of resources
Tools should be deployed, e.g., memory forensics tools, live host-based agents
Ensure the level of operations being affected is known before moving on
Response efforts could negatively affect operations if not assessed and aligned
Minimize the spreading of any threat
Use IoCs identified in the detection phase
Identify extent of threat using IoCs and threat intelligence
Intel could be sourced internally or subscription/external
Isolate systems which are known to be compromised after assessing impact of proposed isolation
Collect memory dumps, hard drive images, network traffic logs and other applicable data
Invoke any cloud services-specific containment tools and protocols as needed
Determine next steps
Shut down affected systems?
Could destroy best evidence
Could break critical operational processes and functions
Likely to alert threat actor to IR activity
Disconnect systems from network but leave running?
Likely to alert threat actor to activity
Could break critical operational processes and functions
Continue memory forensics and study threat actor?
NOT as likely to alert threat actor
Will likely allow threat actor to continue what they're doing
NOT likely to affect any critical operational processes or functions
Ensure scope limiting
Containment at this point should be built around containing known threats and based on known IoCs and malicious behavior
Have a working IoC list that is updated as new IoCs of threat are discovered
Do not let other potential incidents or other distractions take focus from known IoCs and processes
Containment is not a "guarantee" of threat containment. It is an assurance of having followed through with al of the approved containment processes and procedures
Documentation
Ensure documentation details each contained threat and locations where containment happened
The resulting data will be critical for the next phase of eradication
Also useful for lessons learned at the end of the incident
Containment is one of the areas most often adjusted or improved upon after incidents
Last updated