Containment and Eradication

Purpose and Scope

Containment stops an active threat from spreading, while eradication removes attacker presence from the environment. This playbook covers containment strategies, eradication steps, and verification procedures for common incident types.

Prerequisites

• Incident declared: Confirmed compromise requiring response
• Response authority: Approval to take containment actions
• Tool access: EDR, firewall, identity provider, email admin
• Communication channel: Secure method to coordinate responders
• Scoping complete: Understanding of affected systems and accounts

Containment Goals

Effective containment should:

• Prevent attacker from achieving objectives
• Stop lateral movement to additional systems
• Preserve evidence for investigation
• Minimize business disruption
• Buy time for thorough eradication

Containment Strategies

Network Isolation

Disconnect compromised systems from the network:

• EDR isolation: Isolate endpoint while maintaining management access
• VLAN quarantine: Move system to isolated network segment
• Firewall rules: Block traffic to and from affected hosts
• Physical disconnect: Last resort for critical situations

Consider: maintain access for forensic collection if possible.

Account Containment

• Disable account: Prevent further authentication
• Revoke sessions: Terminate active sessions across all services
• Reset password: After ensuring attacker cannot intercept reset
• Revoke tokens: Invalidate OAuth and API tokens
• Remove MFA: Re-enroll after incident to ensure attacker did not register device

Indicator Blocking

• Block malicious IPs and domains at firewall and proxy
• Add file hashes to EDR blocklist
• Block malicious sender addresses at email gateway
• Add URLs to web filtering blocklist

Email Containment

• Quarantine malicious messages from all mailboxes
• Block sender domain
• Remove forwarding rules created by attacker
• Disable compromised mailbox delegation

Eradication Goals

Eradication ensures:

• All attacker access is removed
• Persistence mechanisms are eliminated
• Malware is removed from all affected systems
• Vulnerabilities exploited are remediated
• Attacker cannot easily return

Eradication by Incident Type

Malware Infection

1. Identify all affected endpoints through hunting
2. Collect forensic artifacts before remediation
3. Remove malware and associated files
4. Remove persistence mechanisms (registry, tasks, services)
5. Verify removal through scans and hunting
6. Reimage if infection is extensive or uncertain
7. Patch vulnerability that allowed initial infection

Compromised Credentials

1. Identify all accounts with compromised credentials
2. Disable accounts and revoke all sessions
3. Reset passwords through verified out of band channel
4. Re-enroll MFA with verified user
5. Review and remove unauthorized OAuth apps
6. Remove attacker created mail rules and forwarding
7. Audit changes made while account was compromised
8. Verify credential source (phishing, breach, malware) and address

Phishing Campaign

1. Quarantine all instances of phishing email
2. Block sender and payload indicators
3. Identify all users who interacted with the phishing
4. For credential theft: follow compromised credentials playbook
5. For malware delivery: follow malware infection playbook
6. Notify affected users
7. Update email filtering rules

Ransomware

1. Isolate all affected and potentially affected systems immediately
2. Identify ransomware variant and scope of encryption
3. Preserve encrypted files and ransom notes for investigation
4. Identify initial access vector
5. Eradicate from all systems before restoration
6. Restore from clean backups (verify backup integrity first)
7. Reset all credentials in affected domain or environment
8. Patch and harden before bringing systems back online

Business Email Compromise

1. Identify all affected accounts
2. Revoke access and reset credentials
3. Remove mail rules and forwarding
4. Audit sent messages for fraud attempts
5. Notify affected parties (customers, vendors)
6. Work with finance to reverse fraudulent transactions if possible
7. Review and improve email authentication (SPF, DKIM, DMARC)

Verification Procedures

Verify Containment

• Confirm isolated systems cannot reach network
• Verify disabled accounts cannot authenticate
• Test that blocked indicators are rejected
• Monitor for attempts to access from contained assets

Verify Eradication

• Run EDR scans on remediated endpoints
• Hunt for persistence indicators across environment
• Verify removed files and registry keys are gone
• Check that network traffic to C2 has stopped
• Monitor for recurrence over days to weeks

Coordination Considerations

• Legal and compliance: May need to preserve evidence, notify regulators
• Communications: Coordinate internal and external messaging
• Business stakeholders: Understand impact of containment actions
• Third parties: Notify affected partners or customers
• Law enforcement: Consider engagement for significant incidents

Common Pitfalls

• Alerting the attacker: Coordinate containment to happen simultaneously
• Incomplete scoping: Missing affected systems leads to reinfection
• Destroying evidence: Collect artifacts before wiping systems
• Premature recovery: Bringing systems back before full eradication
• Not addressing root cause: Attacker returns through same vector

Recovery Preparation

Before declaring eradication complete:

• Document all containment and eradication actions
• Prepare recovery and restoration plan
• Define monitoring to detect recurrence
• Identify hardening measures before restoration
• Plan phased return to normal operations

References

• NIST SP 800-61: Computer Security Incident Handling Guide
• CISA Ransomware Guide: cisa.gov/stopransomware
• SANS Incident Handler's Handbook
• MITRE ATT&CK: attack.mitre.org