Attack Containment Techniques

Effective containment limits the scope and impact of cyber attacks, preventing spread and buying time for complete investigation and remediation.

Concept and Purpose

Containment aims to interrupt or limit the progression of an ongoing attack. It differs from prevention (stopping the initial attack) and remediation (eliminating the root cause after an attack).

The goal is to minimize damage, protect critical assets and buy time for a complete response.

Common Techniques

Network Isolation: Isolate compromised systems into separate VLANs or disconnect them from the network.

Firewall: Block malicious traffic with firewall rules (e.g. block specific IPs, ports or protocols).

ACLs: Use Access Control Lists (ACLs) on routers and switches to restrict access to critical resources.

Account Deactivation: Deactivate compromised user accounts to prevent further access.

Process Termination: Terminate malicious processes running on compromised systems.

File Quarantine: Isolate detected malicious files in quarantine to prevent execution.

Network Isolation

Isolating compromised systems prevents lateral spread to other systems.

It can be done manually (unplugging the network cable) or automatically (moving to an isolated VLAN via software).

It is important to document and communicate isolation to avoid inadvertent disruption of legitimate services.

Firewall and ACLs

Firewall and ACLs are used to block malicious traffic based on rules.

Rules can be based on IPs, ports, protocols, traffic patterns or other attributes.

It is important to test rules before deploying to production to avoid disruption of legitimate services.

Account Deactivation

Deactivating compromised accounts prevents attackers from accessing systems and data.

It is important to follow procedures to ensure that deactivation does not affect other users or systems.

Deactivated accounts should be investigated to determine the cause of the compromise and implement preventive measures.

Process Termination

Terminating malicious processes prevents them from continuing to perform malicious actions.

It is important to identify legitimate processes to avoid disrupting services.

Terminated processes should be analyzed to determine the cause of execution and implement preventive measures.

File Quarantine

Isolating malicious files prevents them from being executed or causing damage.

Quarantined files should be analyzed to determine the cause of the infection and implement preventive measures.

It is important to follow procedures to ensure that legitimate files are not inadvertently placed in quarantine.

Automation

Automating containment techniques speeds up the response and reduces the impact of attacks.

SIEM, EDR and SOAR tools can automate network isolation, traffic blocking and account deactivation.

It is important to configure and test automation to ensure it works correctly and does not cause disruption of legitimate services.

Testing and Simulations

Testing and simulating containment techniques ensures they work correctly and that teams are prepared to respond to attacks.

Penetration tests and simulation exercises can identify flaws in containment procedures and tools.

The results of tests and simulations should be used to improve containment procedures and tools.

Common Challenges

False Positives: Incorrectly identifying systems or files as malicious and taking unnecessary containment measures.

Operational Impact: Disrupting legitimate services when implementing containment measures.

Limited Scope: Failing to fully contain the attack, allowing it to spread to other systems.

Final Recommendations

Fast and effective containment can make the difference between a minor incident and a disaster. Advance preparation with documented playbooks, configured tools and trained teams enables decisive containment under pressure.