Incident Response Part 3.1: Containment |EN

In this part of our series, we will examine a security breach incident where the defense layer of our system or systems was somehow breached.

Step 3 of IR includes Containment, Eradication, and Recovery. Taking our compromised system or systems into containment in the 3rd step of IR will prevent it from spreading to other systems. We will also destroy the effects and persistence of this security breach, and then we will ensure that this system or our systems are repaired.

via AuditBoard

We will now focus on each step to better understand it. Let’s examine Containment first.


The 3rd step from the IR steps is like First Aid, which means that the incident we have been scaring and waiting for has finally happened. First, we need to intervene in the wound and prevent further blood loss/damage.

Containment Stages

Containment is divided into sub-stages as follows:

  • Short-Term Containment
  • System Back-Up
  • Long-Term Containment

We will examine these sub-stages one by one, but first, we need to answer the following questions;

  • Could an insider threat cause this incident?

The purpose of this question; You can detect and block an attacker or contain the compromised systems, but if the source of the attack is an insider threat, it can provide access to the external attacker again within the internal network access or re-include it in different network clusters. Therefore, you must first make sure that the source of the incident is not an insider threat.

  • What will the scope and scale of isolation be? How do determine-scaling the losses of Incident?

Before isolating systems or network clusters, talk to the risk team and determine the actions to be taken in case of business continuity interruption. In addition, if the business continuity stops, the financial losses that will occur should be calculated, and then a joint decision should be taken. When critical systems are placed in containment during many incidents, it stops various operations. For this reason, scaling should be done for containment by calculating the necessary risk grading and cost.

As an incident becomes clear at this stage, we need to classify it according to its Type, Effect, and Scope and continue our investigation according to these classifications.


  • Malware Infection: It is the situation where a malicious file directly or indirectly infects internal systems. In this case, the spread of the infection in the internal network is prevented, and it covers all endpoints and 3rd party devices that it will infect.
  • DoS Attack: A Denial-of-Service (DoS) attack is meant to shut down a machine or network, making it inaccessible to its intended users.
  • Unauthorized Access: Unauthorized access is when a person gains entry to a computer network, system, application software, data, or other resources.
  • Internal Security Breach: An Internal Security breach is an event in which unauthorized access is made to an organization’s computer data, applications, networks, or devices. It causes unauthorized access to information.
  • Advanced Persistent Threat: I precisely wanted to highlight the APT threat separately because the physical and virtual inventory, as well as the human factor, are included in the stages of this type of advanced attack, so it needs to be examined separately.
  • Network intrusion: We can evaluate network-based security breaches in this context.
  • Credential Leaks: This attack will be subjected after the authentication information used in the internal and external network is somehow leaked.


  • The incident affecting a critical system or systems
  • The incident affecting a non-critical system or systems

You can also scale by taking advantage of the IT inventory risk matrix you have prepared for your organization.


The scope is tightly linked to the incident notification level. For example, should the CISO or senior management be informed? Which team should be involved in which incident will provide an advantage for the healthy progress of the incident.

Incident Tracking

Reports from both internal and external customers during the Incident must be extracted and recorded through a secondary reporting channel that may have a link to the incident. For example, The connection of an incident response case maintained at location A with the notifications received throughout the institution should also be questioned. This will provide us with the first step in preventing the incident from spreading and secondary attack situations. Tools like RTIR provide us with this.


Short-term Containment

We must ensure that we do not compromise the evidence integrity of the system(s) while providing containment. For this reason, we must ensure that the attacker’s access is stopped by disconnecting the network connection of the endpoint(s) that have been compromised, with the help of various Security products or from the system management panel.

To do this;

  • It can place the machine in an isolated VLAN.
  • It can drag it into the blind spot by changing its DNS.
  • We can isolate it with the help of a router or firewall.


  • We must ensure that users in the relevant endpoint are locked
  • It is ensured that the pass combinations in the relevant systems are not reused in the institution.

Of course, while taking these steps, we must pass our decision through the stages of the Attack Type — Impact — Scope triangle.

System Back-Up

This is where DFIR steps come into play. It is necessary to take backups and protect the affected systems by following the chain of custody and data acquisition actions.

Sorting in data collection;

  • Registers => CPU Cache => Ram => HDD => External & secondary storage devices

I will cover detailed reviews of DFIR issues in my upcoming article series.

Long-term Containment

After providing our Short Term containment measures, our next step will be more detailed and tracking. If we think at the level of access rather than the type of attack, let’s look at the top category as Internal Assets Compromise and External Assets Under Attack.

External Assets Under Attack

When the attacker has an attack that somehow affects our DMZ or exit points from the outside, we will evaluate this violation. In this case, one of the first points is to contact the ISP about Network traffic monitoring and to proxy the External exit IPs securely.

Internal Assets Compromise

This scope is for incidents that have maliciously jumped or accessed the internal network. After keeping it in a way that will limit the attacker’s horizontal and vertical accesses, we should focus on two decisions.

  • We can initiate and destroy the eradication phase.
  • We can track and hunt.

Although 2nd Method seems to be an exciting option, the situation here is a kind of Snake charming. If you make the wrong move or consider the condition in which you are dealing with a threat like APT, this game you are playing can have deadly consequences.

In my next article, I will examine this experimental approach in particular.
Thank you again for reading. See you soon :)




SOC Team Lead | Purple Team Member

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What is Quantum Computing?

Legal Use of iPhone Messages and WhatsApp Chats

Setting Up Multi-Factor Authentication on Zocdoc

HTB - HTB Console [Pwn]

Pirate x Pirate Airdrop Event Distributed

Logitech ⋆ Discount Coupon

SIL’s DAO Forum and Voting System online

Russia Fines Google Nearly $100 Million For Failing to Delete Illegal Content ❌

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alican Kiraz

Alican Kiraz

SOC Team Lead | Purple Team Member

More from Medium

Incident Response Part 2.2: Analysis |EN

5 Threat Hunting Tips from a Seasoned Hunt Team

[Some Interesting] Cloud ‘n Sec news: 06th May 22

Cyber Attribution Difficulties, Risks, & Benefits