In a previous post we discussed Incident Response (IR) processes and our preference is one that runs Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned (PICERL). In this post, we are going to be looking a bit more into the Containment phase of IR.
You have identified an event. Then you confirmed it was an incident. So now you need to look at containment. This is where your IR team start to earn their pay. But there are some pitfalls – most importantly do not rush! Also, there are times you may even want to skip this step entirely. All of this should be decided in your preparation phase.
Simply, containment means stopping the attack spreading. Now, in practice, this can be complex but the theory is simple. Because incidents are varied try to avoid setting prescriptive plans. Instead, empower your IR team to make tactical decisions.
Keep in mind this is a short term strategy. You are trying to seize the initiative from the attacker. A common model here is the OODA-loop. Here you are trying to change the cadence so you no longer constantly react to the attacker. Good strategy here turns the tables and forces the attacker to react to your actions. Ultimately this means your containment strategy decides how successful your IR will be.
First a quick warning. Never – ever – rush into containment. It is tempting and natural, to want to pull cables or shut systems down when you see an attack. But this can be a mistake. Rarely will this turn out to be a “good” strategy. More often you will undermine the IR process, destroy evidence and warn the attacker. Ultimately the decision should be taken by the Incident Manager, so your Plan needs to support them. However, you also need to remember that during the stress of IR, don’t add to it by panicking about containment.
One point to remember: as a human, you can never react as fast as a computer. This means waiting a bit longer is unlikely to make things significantly worse.
So, with the warning out of the way, how do we do this?
Unfortunately, there is no one-size-fits-all answer. In essence, it is simply “do good IR.” Because that isn’t helpful, there are some steps to consider.
Begin by finding out as much as possible. Gather information about the incident. Then analyse it as much as you need. This is important – too much delays things, too little leads to mistakes. This can be more art than science, but experience improves things. Your incident manager should try to focus the investigation to minimise spurious activity.
As investigators find things, this “intelligence” should be fed back to the Incident Management Team to make decisions. Another important point here is to try to reduce noise. Lots of information will appear, avoid being distracted by irrelevant data or information you cant act on.
Next, take the information and turn it into action. This is the primary role of the incident manager. As investigators provide more data, a containment strategy is likely to emerge. In turn, the manager should use this to direct investigators. Through this iterative process, a robust strategy will be formed.
Some examples include:
- Create an incident response VLAN. Move infected machines into it. This allows monitoring/response but prevents further spread or C2.
- Locking compromised user accounts. This prevents an attacker from continuing to use them to get access.
- Blocking external access to vulnerable websites. This prevent an attacker from using webshells.
Remember all this carries risk. Your actions are likely to alert the attacker. If they have other ways in, you might lose visibility. Only act based on your investigation.
Occasionally you might decide to skip this phase. Yes, this is shocking! But remember, none of this is prescriptive.
Containment works best with low-skilled attackers. If you have an advanced adversary, you might only alert them. As a result, waiting until you can eradicate may be better. You can give guidance here in your Plans. However, the final decision should be based on the investigation.
Stopping the spread
In summary, this is the goal of containment. You need to try and prevent things from getting worse. Let your risk appetite guide decisions. Investigate well and build a robust strategy. When you are ready to implement, be decisive.