NIST SP 800-61
Handling an Incident
3.1. Choosing a Containment Strategy
Containment is important before an incident overwhelms resources or increases damage. Most incidents
require containment, so that is an important consideration early in the course of handling each incident.
Containment provides time for developing a tailored remediation strategy. An essential part of
containment is decision-making (e.g., shut down a system, disconnect it from a network, disable certain
functions). Such decisions are much easier to make if there are predetermined strategies and procedures
for containing the incident. Organizations should define acceptable risks in dealing with incidents and
develop strategies accordingly.
Containment strategies vary based on the type of incident. For example, the strategy for containing an
email-borne malware infection is quite different from that of a network-based DDoS attack. Organizations
should create separate containment strategies for each major incident type, with criteria documented
clearly to facilitate decision-making. Criteria for determining the appropriate strategy include:
- Potential damage to and theft of resources
- Need for evidence preservation
- Service availability (e.g., network connectivity, services provided to external parties)
- Time and resources needed to implement the strategy
- Effectiveness of the strategy (e.g., partial containment, full containment)
- Duration of the solution (e.g., emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution).
In certain cases, some organizations redirect the attacker to a sandbox (a form of containment) so that
they can monitor the attacker's activity, usually to gather additional evidence. The incident response team
should discuss this strategy with its legal department to determine if it is feasible. Ways of monitoring an attacker's activity other than sandboxing should not be used; if an organization knows that a system has
been compromised and allows the compromise to continue, it may be liable if the attacker uses the
compromised system to attack other systems. The delayed containment strategy is dangerous because an
attacker could escalate unauthorized access or compromise other systems.
Another potential issue regarding containment is that some attacks may cause additional damage when
they are contained. For example, a compromised host may run a malicious process that pings another host
periodically. When the incident handler attempts to contain the incident by disconnecting the
compromised host from the network, the subsequent pings will fail. As a result of the failure, the
malicious process may overwrite or encrypt all the data on the host's hard drive. Handlers should not
assume that just because a host has been disconnected from the network, further damage to the host has