In cybersecurity every second counts. A single compromised host can act as the proverbial domino, toppling your defenses and threatening your entire network. Containment is your team’s chance to hit pause before the game spirals out of control. When done effectively, it can stop an attacker in their tracks. Without it, you risk the ultimate “game over” scenario: a widespread breach with serious consequences.
Here are specific scenarios and considerations for when containment is the best course of action:
Confirmed Malware Infection
- When to Act: Malware is spotted on a system, and there’s a risk of it hopping to other devices.
- What to Do: Disconnect the infected host from the network immediately to prevent the malware from spreading while preserving logs and other forensic evidence for investigation.
Suspected Account Compromise
- When to Act: Signs of unauthorized access or suspicious activity on a user account
- What to Do: Disable the account or limit its privileges to stop further misuse.
Data Exfiltration in Progress
- When to Act: You see evidence of unauthorized data being transferred out.
- What to Do: Block specific network connections or isolate the affected systems to stop the leak.
Active Lateral Movement
- When to Act: Indicators show an attacker jumping between systems in your network.
- What to Do: Contain affected systems to box in the attacker and limit their reach.
Exploitation of Critical Vulnerabilities
- When to Act: A system with a known, exploitable vulnerability is showing signs of compromise.
- What to Do: Isolate the system to stop further attacks while you work on patching it up.
Insider Threat Activity
- When to Act: Suspicion of malicious activity by someone on the inside.
- What to Do: Restrict their access to sensitive systems or data to limit the damage.
DDoS Attack
- When to Act: A Distributed Denial of Service attack is detected.
- What to Do: Use traffic filtering or temporarily isolate the affected services to handle the load.
Unauthorized Changes to Critical Systems
- When to Act: Unexpected or unauthorized tweaks to important systems pop up.
- What to Do: Stop further changes while digging into what’s going on.
Breach of Segmentation
- When to Act: Evidence shows that network segmentation has been breached.
- What to Do: Reinforce boundaries between segments to keep the threat contained.
IoT Device Compromise
- When to Act: Compromised IoT devices, especially in industrial or healthcare settings.
- What to Do: Isolate the devices to prevent them from being weaponized in larger attacks.
What to Keep in Mind When Containing a Host
- Business Impact: Think about how containment actions will affect day-to-day operations.
- Scope of Containment: Decide whether to contain at the network, system, or account level.
- Evidence Preservation: Make sure your actions don’t wipe out valuable forensic evidence.
- Regulatory Requirements: Factor in any compliance rules that might influence your decisions.
- Attacker Awareness: Don’t tip off the attacker that you’ve spotted them.
- Recovery Preparation: Use containment time to prepare for system restoration and further investigation.
- Speed vs. Accuracy: Speed is crucial in containment. Move quickly, but don’t act so fast that you make things worse.
Respond Faster with Bricklayer AI
SOCs leveraging Bricklayer AI agents for IR workflows can dramatically reduce MTTD and MTTR, with continuous improvement after every incident. Download our latest playbook to discover how you can achieve the same results.
Get the Playbook →
