The fundamental notion of containment resides in reducing damage to the minimum. It is highly probable that, in an ongoing incident, complete avoidance of damage is unfeasible. However, at this stage, an opportunity exists to prevent severe damage. The primary aim is to diminish the abilities of the attacker.
If the attacker is particularly sophisticated, a hasty containment strategy, such as abruptly unplugging the computer, may inadvertently trigger an unintended consequence. Certain APT groups may realise they have been uncovered and lay low until they feel secure. In such scenarios, it would be prudent to have a kill switch readily accessible to activate at the onset of data exfiltration. In the meantime, it would be wise to segment the network, isolating it from other machines and vigilantly monitoring for any malicious activity.
Normal remediation events:
- Deny access to the environment.
- Don’t let the attacker respond to the remediation process.
- Remove the adversary.
- Degrade his ability to return.
Critical remediation steps:
- Disconnect the environment from the Internet.
- Implement strict network segmentation.
- Block IP and domains for C2 channels.
- Remove all infected and compromised nodes.
- Restrict access to compromised accounts.
- Restrict access to domain admin accounts.
- Validate.