Short-Term Containment Techniques

Before choosing a containment technique, responders need answers to four questions. First: what is the attacker still doing? A ransomware operator who has already deployed encryption is in a different containment scenario from an intruder who appears to be in reconnaissance. Second: what volatile evidence exists and how valuable is it? If the attacker's tooling is running in memory and has not been written to disk, that memory must be captured before any action that causes a reboot or shutdown. Third: are there business-critical systems that cannot be taken offline? A hospital network has different constraints from a development environment. Fourth: what does the attacker know about the responder's awareness? An attacker who monitors their own access logs may detect the first sign of investigation and act before containment begins.

These questions translate into a containment decision with three parameters: aggressiveness (how completely is the attacker cut off), timing (how quickly is the action taken), and stealth (how visibly does the action change the attacker's environment). A stealthy, delayed, partial containment collects more evidence but accepts more damage. An aggressive, immediate, overt containment stops damage fast but may destroy evidence and trigger countermeasures. Most real-world responses fall somewhere between those extremes, with the balance set by the incident commander in consultation with legal, business, and technical stakeholders.

Network isolation means cutting a compromised host off from all network communication while leaving it running. The simplest method is physical: unplug the ethernet cable or disable the wireless adapter. At the infrastructure level, the same effect is achieved by disabling the port on the switch to which the device connects, or by pushing a null route for the host's IP address so that all packets destined for it are dropped. In environments with endpoint detection and response (EDR) tooling, most modern platforms include a one-click network isolation feature that enforces a host-based firewall rule blocking all inbound and outbound traffic except communication with the EDR management console, allowing continued monitoring of the isolated host.

The advantage of isolation over shutdown is the preservation of volatile state. A running system retains its process list, open file handles, established and listening network sockets, and any data held in process memory including decryption keys, credentials, and attacker tooling that was never written to disk. Capturing a full memory image of the isolated host immediately after isolation secures this evidence permanently. Isolation also keeps the host available for continued monitoring: responders can observe what the attacker's implant does when it loses its command-and-control connection, which may reveal persistence mechanisms or failover channels that would otherwise remain hidden.

Isolation has failure modes. An attacker with multiple implants on the same host may have configured one to communicate over a channel that the isolation rule does not block: a tool that tunnels traffic over the EDR management protocol, or one that uses a second physical network interface such as a Wi-Fi adapter that was not included in the isolation action. Responders should verify isolation by confirming that observed attacker activity stops, not just by confirming the firewall rule is in place.

When the compromise involves multiple hosts or an entire subnet, isolating each machine individually is impractical. Network segmentation places a firewall or VLAN boundary between the compromised segment and the rest of the network, allowing all hosts in the affected segment to remain accessible to responders while blocking lateral movement to clean systems. The affected VLAN is typically given restrictive outbound rules that block internet access and cross-segment communication, while allowing inbound management connections from the incident response team.

Traffic blocking at the perimeter operates at the firewall, the DNS resolver, or the proxy. Firewall rules blocking known attacker IP addresses or CIDR ranges are the fastest to deploy and the easiest to apply. DNS sinkholes redirect domains used by attacker command-and-control infrastructure to a controlled server, allowing continued monitoring of which internal hosts attempt to contact those domains after the sinkhole is in place. Both techniques are ineffective against attackers who use IP addresses that rotate frequently, who communicate over legitimate cloud services, or who are already operating from inside the network through compromised credentials.

Attackers in most intrusions obtain at least one set of valid credentials early in the attack chain. Account containment actions target those credentials to deny the attacker authenticated access to systems. The options are: lock the account (which prevents login but leaves the account configured), disable the account (which prevents login and marks the account inactive), rotate the credentials (which invalidates the current password or token without disabling the account), or monitor the account without acting (to observe further attacker behaviour before taking action).

Lockout and disable are appropriate when the account is confirmed compromised and the investigation does not depend on observing further authenticated activity. Credential rotation is appropriate when the account belongs to a service account or system that must remain available: the attacker's session is invalidated when the credential changes, but the service continues operating with the new credential. Monitoring without action is appropriate when the account is suspected but not confirmed compromised, or when the responder wants to watch the attacker navigate through systems before cutting off access. The risk of monitoring is that the attacker continues to cause harm while under observation.

Privileged accounts require particular care. An attacker who has obtained domain administrator credentials in an Active Directory environment may have already created backdoor accounts, added their own devices to trusted groups, or modified Group Policy objects. Disabling the compromised credential stops one access path but does not undo the persistence mechanisms already established. Account containment must be accompanied by a review of any changes made by the compromised account since the earliest confirmed time of compromise.

Every containment action has a signature that may be visible to the attacker. An attacker's implant that suddenly loses its command-and-control connection knows that something has changed. An attacker monitoring their own exfiltration pipeline will notice if uploads stop. An attacker who routinely logs into systems with compromised credentials will notice if those credentials stop working. These signals tell the attacker that they have been detected and that the responder is acting.

The consequence of alerting the attacker depends on what else they control. If the attacker has implants on dozens of systems and the responder has only identified and isolated one of them, the alert may cause the attacker to accelerate actions on the remaining systems before those are contained. If the attacker has deployed a destructive payload but has not triggered it, detection may trigger early detonation. Organised threat actors commonly use kill switches in their tooling: automated scripts that wipe logs, destroy evidence, or encrypt additional systems if a specific trigger condition is met.

Reducing attacker-alerting risk involves timing containment actions carefully. When multiple systems must be contained, all isolation actions should be executed simultaneously rather than sequentially, so that the attacker cannot observe the containment progressing and take action against the next target. Some responders use a preparation phase in which all the commands for simultaneous isolation are pre-staged on the relevant switches, firewalls, and EDR consoles, then executed in a single coordinated window. This approach is described in many published IR playbooks and is consistent with the NIST SP 800-61 guidance on simultaneous containment.

Containment decisions do not occur in a regulatory vacuum. In the European Union, the NIS2 Directive (Directive 2022/2555, replacing the original 2016 NIS Directive) requires operators of essential services and digital service providers to notify national authorities of significant incidents within 24 hours of detection, with a full report within 72 hours. In the United States, sector-specific rules govern notification timelines: HIPAA requires notification to affected individuals within 60 days of breach discovery, the SEC requires public companies to disclose material cybersecurity incidents within four business days of determining the incident is material, and CISA's Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, signed 2022) will require covered entities to report within 72 hours once the implementing rules are finalised. In the United Kingdom, the ICO must be notified of personal data breaches within 72 hours under UK GDPR. In India, CERT-In's 2022 directions require reporting of specified incidents within six hours of detection.

The relevance of these timelines to containment is direct: a containment action that destroys evidence may complicate the organisation's ability to determine the scope of a breach for notification purposes. It may also impede law enforcement investigation if the incident involves criminal activity. Many jurisdictions have computer crime statutes that require victims to preserve evidence before law enforcement can obtain it. In India, the Bharatiya Sakshya Adhiniyam 2023 governs electronic evidence admissibility; in the UK, the Police and Criminal Evidence Act 1984 (as amended) covers seizure and retention; in the United States, the Federal Rules of Evidence govern digital evidence in federal proceedings. Containment plans should be reviewed with legal counsel to confirm that evidence preservation obligations are met.