Incidents are contained
Containment is the act of stopping an incident from spreading: isolating compromised systems, blocking attacker-controlled infrastructure, revoking compromised credentials, and limiting the blast radius. The decision of when and how to contain involves a deliberate trade-off: containment too early may alert the attacker before scope is fully understood, while containment too late allows further damage. Organizations need pre-defined containment strategies for common incident types to make this decision consistently.
Implementation steps
- 1
Define containment strategies for common incident types
For each major incident category, pre-define containment actions: for a compromised endpoint, isolate it from the network while preserving the ability to collect forensic evidence. For a compromised account, revoke all active sessions, disable the account, and rotate credentials. For an active data exfiltration, block the destination IP or domain at the firewall. For ransomware, isolate affected network segments. Document these strategies in runbooks so responders act decisively.
confluencepagerduty - 2
Implement technical capabilities to rapidly isolate affected systems
Ensure that responders have the technical tools to perform containment quickly: EDR agents with remote network isolation capability, the ability to disable Active Directory or IdP accounts from a central console, firewall or security group rules that can be modified rapidly, and network access control mechanisms that can quarantine specific devices. Test these capabilities in a non-production environment so responders are familiar with them before they need them.
crowdstrikesentineloneoktaaws-security-groupscloudflare - 3
Document containment decisions and actions taken
Record all containment actions in the incident ticket as they are taken: what was isolated, when, by whom, and what the business impact of the containment action was. This documentation is essential for post-incident review, for communicating with stakeholders about what actions were taken, and for tracking the full sequence of the response. Containment actions that are not documented may be forgotten or incorrectly attributed later.
jirapagerdutyconfluence
Evidence required
Containment playbooks and procedures
Documented containment strategies for common incident categories.
- · Incident response runbooks defining containment steps for ransomware, credential compromise, and data exfiltration
- · EDR isolation capability documentation confirming remote containment capability
- · Network isolation procedure in the incident response plan
Containment action records
Evidence that containment was performed and documented during past incidents.
- · Incident ticket showing containment actions with timestamps
- · Firewall rule changes or account disables linked to incident tickets
- · Post-incident review noting containment effectiveness and timing
Related controls
Incidents are eradicated
Incident Mitigation
Forensics are performed
Incident Analysis
Execute the incident response plan in coordination with relevant third parties
Incident Management
Apply the criteria for initiating incident recovery
Incident Management