Possible Containment Scenarios

A device on the network becomes infected with malware

Isolation is the key. Get the host off the same network as soon as possible. There are several ways to achieve that.

1. Physically turning the machine off.
2. Remediation virtual local network. Where possible - SNMP protocol in use. In some organisations, a remediation VLAN is the default VLAN, and you’re only allowed to talk to others after you’re given a clean bill of health. The class of products that does the scanning and VLAN manipulation is known as network access control (NAC).
3. Remove network connection but allow ssh into the machine (Cloud and containers).

Defaced Website

Possible reasons:

1. CMS vulnerability
2. SQLi
3. Admin password compromised or authorisation mechanism bypassed. Isolate the machine. Probably, get the website temporarily down until the vulnerability is patched.

DoS

In the case of an attack against an IP address, an easy containment method is to move the service to a new IP address and, where applicable, update DNS records to point to the new address. Given that this is a relatively easy mitigation, it is more common for attackers to target DNS records directly. Sheward, Mike. Hands-on Incident Response and Digital Forensics (pp. 53-54). BCS Learning & Development Limited. Kindle Edition.

Given this, a more common technique for denial of service containment is traffic filtering or scrubbing. This method requires working with a provider who operates a ‘scrubbing centre’, which is essentially a bank of servers that analyse incoming traffic, dropping the attack traffic while allowing the legitimate traffic to pass through. These services typically work in an on-demand model whereby if an attack is detected routes to the target are changed to ensure traffic flows through the scrubbing centre before hitting the target site. The route changes usually occur through Border Gateway Protocol (BGP) route advertisements. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 54). BCS Learning & Development Limited. Kindle Edition.

A critical vulnerability is detected in a web application

In this case, the goal of the containment phase is to ensure that no one can exploit the vulnerability in the time period between detection and remediation. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 54). BCS Learning & Development Limited. Kindle Edition.

1. Turn this functionality off until the fix is applied.
2. Apply additional control (like a WAF virtual patch) to temporarily detect and block any attempts to exploit it. This needs to be practiced in advanced.
   1. Blacklisting.
   2. Whitelisting.

Customer data is leaked on the internet

1. Negotiate to remove the data from the public resource.

References