Chapter 4: Containment Strategies

Introduction

Containment represents the critical inflection point in incident response where organizations transition from detection and analysis to active intervention. The primary objective of containment is to limit the scope and magnitude of an incident while preserving evidence and maintaining business operations to the greatest extent possible.

Containment decisions carry significant consequences. Act too aggressively and you may disrupt business operations unnecessarily or alert sophisticated adversaries who then destroy evidence. Act too conservatively and the incident spreads, causing greater damage. This chapter provides the frameworks, strategies, and decision criteria required to execute effective containment that balances competing priorities.

Understanding Containment Objectives

Effective containment strategies pursue multiple objectives simultaneously:

Prevent Further Damage

The immediate priority is stopping the incident from spreading or causing additional harm: - Preventing malware from infecting additional systems - Blocking ongoing data exfiltration - Stopping destruction of data or systems - Preventing adversary privilege escalation or lateral movement

Preserve Evidence

Containment actions must maintain forensic integrity: - Maintaining logs and system states for investigation - Preserving memory contents before system shutdown - Documenting all containment actions taken - Avoiding actions that destroy evidence of adversary activity

Maintain Business Operations

Organizations must balance security response with operational continuity: - Identifying critical business functions that cannot be disrupted - Implementing workarounds when systems must be taken offline - Communicating operational impacts to stakeholders - Prioritizing containment of systems by business criticality

Competing Priorities

Containment often involves difficult tradeoffs between these objectives. The IR team lead must make judgment calls based on incident characteristics and organizational priorities.

Short-Term vs Long-Term Containment

NIST SP 800-61 distinguishes between short-term and long-term containment strategies, each serving different purposes in the response lifecycle.

Short-Term Containment

Objective: Immediately limit the incident's ability to spread or cause additional damage

Timeline: Minutes to hours

Characteristics: - Rapid implementation with minimal planning - May not address root cause - Often disruptive to operations - Provides time for detailed investigation and long-term planning

Common Short-Term Actions:

Action	Use Case	Considerations
Network Isolation	Infected system communicating with C2	Preserves system for forensics; disrupts user access
Account Disablement	Compromised user credentials	May alert adversary; affects user productivity
Firewall Rules	Block C2 communication	May miss alternative C2 channels; can be bypassed
System Shutdown	Destructive malware actively running	Loses volatile memory; disrupts services
Process Termination	Active malicious process	May trigger anti-forensic mechanisms; can be restarted

Short-Term Containment Scenario

Your EDR alerts on a workstation executing a known ransomware variant. Short-term containment involves immediately isolating the workstation from the network to prevent ransomware from spreading to file shares and other systems. This buys time to determine scope and plan recovery.

Long-Term Containment

Objective: Implement sustainable containment while preparing for eradication and recovery

Timeline: Hours to days

Characteristics: - More thorough approach addressing root causes - Minimizes operational disruption - May involve system rebuilds or extensive hardening - Supports business continuity during extended response

Common Long-Term Actions:

Action	Use Case	Considerations
Network Segmentation	Limit lateral movement pathways	Requires network architecture changes; planning time
System Reimaging	Ensure complete malware removal	Disruptive; requires backups; time-intensive
Password Resets	Compromised credential scenario	Organization-wide effort; user support burden
Vulnerability Patching	Exploitation of known vulnerability	May require testing; change management approval
Enhanced Monitoring	Detect adversary persistence	Resource-intensive; requires analyst capacity

Transition Planning

During short-term containment, immediately begin planning long-term containment and eventual recovery. Assign team members to investigate scope, identify root cause, and develop remediation strategy while others maintain short-term measures.

Network Segmentation

Network segmentation divides networks into isolated zones to limit adversary lateral movement and contain incidents to smaller portions of the infrastructure.

Segmentation Approaches

Physical Segmentation: - Separate physical networks with no connectivity - Most secure but least flexible - Rarely practical for incident response

Virtual LAN (VLAN) Segmentation: - Logical network separation using switches - Configured via network equipment - Can be implemented relatively quickly during incidents

Firewall-Based Segmentation: - Internal firewalls controlling traffic between network zones - Rule-based access control - Detailed logging of inter-zone traffic

Software-Defined Segmentation: - Micro-segmentation using software policies - Granular control at individual workload level - Common in cloud and virtualized environments

Containment-Focused Segmentation

During incident response, implement emergency segmentation:

Quarantine VLAN: - Isolated network segment for compromised systems - Allows investigation while preventing spread - Restricted internet access (only to security infrastructure) - Enhanced monitoring and logging

Critical Asset Protection: - Isolate highest-value systems (domain controllers, database servers) - Restrict access to only necessary administrative connections - Implement stricter firewall rules temporarily

Lateral Movement Prevention: - Block workstation-to-workstation communication - Require all connections to route through controlled chokepoints - Disable protocols commonly used for lateral movement (SMB, RDP, WMI)

Segmentation During APT Response

When responding to advanced persistent threat (APT) with confirmed access to multiple systems, implement emergency segmentation:

1. Move all confirmed-compromised systems to quarantine VLAN
2. Segment critical servers into protected zone with strict access controls
3. Implement workstation isolation to prevent peer-to-peer spread
4. Monitor all inter-zone traffic for indicators of continued adversary activity

System Isolation Techniques

Isolating individual systems prevents adversary access and lateral movement while preserving systems for investigation.

Network-Level Isolation

Switch Port Shutdown: - Physically disables network connection - Immediate and complete isolation - Requires access to network infrastructure - Prevents any network communication (including investigation)

VLAN Reassignment: - Moves system to isolated VLAN - Maintains network connectivity for investigation - Can be implemented remotely - Requires managed network switches

Firewall Rules: - Block all traffic to/from specific IP addresses - Granular control over allowed connections - Can permit investigative access - May be bypassed by adversary with sufficient access

EDR Network Isolation: - Modern EDR platforms provide one-click network isolation - System remains reachable by EDR for investigation - All other network communication blocked - Can be toggled on/off remotely

EDR Isolation Advantages

EDR-based isolation is often the fastest and most flexible option, allowing investigation to continue while completely blocking adversary communication.

Host-Level Isolation

Disable Network Adapters: - Disable network interfaces via operating system - Can be done remotely before losing connectivity - Prevents network-based investigation

Host Firewall Configuration: - Block all inbound/outbound traffic via Windows Firewall or iptables - Maintain exceptions for investigation tools - Can be bypassed by adversary with administrative access

Physical Isolation

Network Cable Disconnection: - Physically unplug network cables - Guaranteed network isolation - Requires physical access to system - Appropriate for high-security scenarios

System Relocation: - Move system to secure investigation environment - Complete control over network environment - Enables detailed forensic analysis - Time and resource intensive

Evidence Gathering During Containment

Containment actions create unique opportunities to gather critical evidence before eradication activities destroy it.

Pre-Containment Evidence Collection

Before isolating or shutting down systems:

Memory Acquisition: - Capture RAM contents (process listings, network connections, encryption keys, injected code) - Use tools like FTK Imager, WinPMem, Magnet RAM Capture - Critical for detecting fileless malware and in-memory artifacts

Live System Data: - Running processes and loaded modules - Open network connections and listening ports - Logged-in users and open sessions - Scheduled tasks and startup items - Recent command history

Network Traffic Capture: - Initiate packet capture before isolation - Capture C2 communication patterns - Identify other potentially compromised systems - Document lateral movement attempts

Time Pressure

Evidence collection must be balanced against urgency of containment. For rapidly spreading threats (ransomware), prioritize containment. For slower-moving threats (APT espionage), thorough evidence collection is feasible.

Post-Containment Evidence Collection

After systems are isolated:

Forensic Imaging: - Create bit-for-bit copies of storage devices - Generate and verify cryptographic hashes - Work from copies to preserve original evidence - Use write-blocking hardware or software

Log Collection: - Export all available logs to secure storage - Prevent log rotation from destroying evidence - Include OS logs, application logs, security logs - Correlate timestamps across systems

Configuration Documentation: - Document system configuration state - Capture user account configurations - Record installed software and patch levels - Screenshot evidence for documentation

Decision Frameworks for Containment Approach

Selecting appropriate containment strategies requires systematic evaluation of incident characteristics and organizational context.

Containment Decision Matrix

flowchart TD
    A[Incident Confirmed] --> B{Scope Known?}
    B -->|Yes| C{Spreading Actively?}
    B -->|No| D[Investigate Scope]

    C -->|Yes - Rapidly| E[Aggressive Short-Term Containment]
    C -->|No| F{Business Critical Systems?}

    F -->|Yes| G[Coordinated Containment with Business]
    F -->|No| H[Standard Containment Procedures]

    D --> I{Sophisticated Adversary?}
    I -->|Yes - APT| J[Stealthy Monitoring Before Containment]
    I -->|No| H

    E --> K[Network Isolation / System Shutdown]
    G --> L[Planned Maintenance Window]
    H --> M[VLAN Quarantine / EDR Isolation]
    J --> N[Enhanced Logging / Threat Hunting]

    K --> O[Evidence Collection]
    L --> O
    M --> O
    N --> P[Simultaneous Coordinated Containment]
    P --> O

    style E fill:#ff9999
    style J fill:#99ccff
    style O fill:#99ff99

Decision Criteria

Incident Severity: - Critical: Aggressive containment despite operational impact - High: Balanced approach coordinating with business - Medium/Low: Measured containment with minimal disruption

Adversary Sophistication: - Commodity Malware: Immediate containment, low evasion risk - Targeted Attack: Careful approach, adversary may detect and respond - APT: Consider delayed containment to gather intelligence

Business Impact: - Critical Systems: Coordinate containment timing with business - Non-Critical: Immediate containment acceptable - During Business Hours: Consider operational disruption - Off-Hours: More flexibility for disruptive actions

Scope and Spread: - Single System: Straightforward isolation - Multiple Systems: Coordinated simultaneous containment - Unknown Scope: Investigate before containment to avoid alerting adversary

Coordination with Stakeholders

Effective containment requires coordination across multiple organizational functions.

Internal Stakeholders

IT Operations: - Coordinate containment actions (network changes, system access) - Implement technical containment measures - Communicate operational impacts

Business Units: - Inform affected departments of potential service disruptions - Coordinate timing for disruptive containment actions - Identify critical business processes that cannot be interrupted

Executive Management: - Provide status updates on incident and containment activities - Escalate decisions requiring executive authority - Report business impact and estimated recovery timelines

Legal Counsel: - Advise on evidence preservation requirements - Coordinate law enforcement engagement if applicable - Guide regulatory notification obligations

External Stakeholders

Customers and Partners: - Notify if incident impacts their data or services - Provide status updates on restoration timelines - Offer remediation (credit monitoring, compensation)

Regulatory Agencies: - Report incidents as required by law (GDPR, HIPAA, state breach laws) - Coordinate investigation and remediation - Provide documentation of response activities

Stakeholder Communication Plan

Reference the communication plan developed during preparation (Chapter 2). Pre-approved templates and notification procedures accelerate coordination during high-pressure incidents.

Conclusion

Containment represents the most operationally complex phase of incident response, requiring rapid decision-making that balances security, evidence preservation, and business continuity. Success depends on clear decision frameworks, effective stakeholder coordination, and the technical capabilities deployed during preparation.

Organizations that execute containment effectively achieve three critical outcomes: (1) limiting incident damage and preventing spread, (2) preserving evidence for thorough investigation, and (3) maintaining essential business operations. These outcomes create the conditions for successful eradication and recovery covered in the next chapter.

Key Takeaways

• Distinguish between short-term (immediate) and long-term (sustainable) containment
• Balance containment aggressiveness with operational impact and evidence preservation
• Use network segmentation and system isolation to limit adversary movement
• Collect critical evidence before and during containment actions
• Apply decision frameworks considering severity, sophistication, business impact, and scope
• Coordinate containment activities across technical and business stakeholders
• Remember containment does not remove threats—proceed quickly to eradication