Incident Containment

Containment stops incident progression while enabling investigation. Done well, containment limits damage and preserves evidence. Done poorly, it destroys evidence, alerts attackers, or fails to actually contain the threat.

Containment Principles

Speed matters - The longer threats persist, the more damage they cause. But hasty containment without understanding can be counterproductive.

Preserve evidence - Full disk wipes destroy forensic artifacts. Contain in ways that enable later investigation.

Plan for attacker awareness - Sophisticated adversaries monitor for detection. Containment actions might trigger destructive responses if they notice.

Coordinate communication - Technical teams, management, legal, and communications all have roles. Uncoordinated messaging creates confusion.

Containment Options

Network isolation - Remove systems from the network. This immediately stops lateral movement and data exfiltration but prevents remote investigation. Consider partial isolation that permits investigation access while blocking general connectivity.

Account disable - Disable compromised credentials. Attackers lose access immediately but may have additional credentials you have not discovered.

Process termination - Kill malicious processes. Provides immediate relief but may lose memory artifacts and trigger respawn mechanisms.

Firewall blocks - Block communication with C2 infrastructure. Less disruptive than full isolation but only effective if you know all C2 channels.

Credential rotation - Force password changes for affected accounts or broader populations. Most effective when combined with other containment.

Decision Framework

Containment decisions require balancing factors:

• What is the current impact and risk of continued access?


• What investigation needs remain?


• What evidence might containment destroy?


• What response might containment trigger from adversaries?


• What business disruption does containment cause?

For ransomware actively encrypting, speed trumps evidence preservation. For long-term espionage just discovered, careful containment preserves investigation options.

Containment Failures

Incomplete containment - Attackers maintain access through undiscovered backdoors. Containment addressed symptoms without eliminating the threat.

Premature containment - Acting before understanding scope. The visible threat was contained, but undetected components remain.

Evidence destruction - Aggressive cleanup destroyed artifacts needed to understand what happened or identify additional compromise.

Attacker escalation - Containment detection triggered destructive response by adversaries.

Learn from containment decisions. Post-incident review should assess whether containment choices were appropriate and what you would do differently.