Fairdinkum > Blog > Cybersecurity > The Best Way to Contain a Cyber Incident Depends on the Type of Attack
Dark Mode

The Best Way to Contain a Cyber Incident Depends on the Type of Attack

The Best Way to Contain a Cyber Incident Depends on the Type of Attack

After noticing that your network was experiencing unusual glitches, you turned to your Incident Response Plan (IRP) and instituted Phase 2—identifying the cause of the network problem. Unfortunately, it is a worst-case scenario. The network has been breached, and data appears to be compromised.

As per the directives in Phase 2, the cyber incident is scored and prioritized. Once that is complete, the incident response team is ready to move on to Phase 3—containing the attack with both short-term and long-term strategies to limit its spread.

The goal is to minimize the impact of the cyber incident as much as possible while addressing any disruptions by isolating the attack area. As the National Institute of Standards and Technology (NIST) points out in its Computer Security Incident Handling Guide, “containment provides time for developing a tailored remediation strategy.”

Determining the Most Effective Containment Strategy

Just as each incident needs to be classified and prioritized based on the overall impact of the attack, the containment strategy will be unique depending on the type of cyberattack. A DDoS attack, for example, will require a different containment strategy than a ransomware attack.

The incident response team should already have baseline containment strategies for a variety of different attack vectors and incident types outlined in the organization’s IRP. NIST recommends using the following criteria to determine the correct response for containment:

  • Potential damage to and theft of resources
  • Need for evidence preservation
  • Service availability (e.g., network connectivity, services provided to external parties)
  • Time and resources needed to implement the strategy
  • Effectiveness of the strategy (e.g., partial containment, full containment)
  • Duration of the solution (e.g., emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution).

Short-term Containment

The bad news is that by the time a cyber incident is discovered, it has likely already been embedded in your network for a long period of time. IBM’s Cost of a Data Breach Report 2024 found that it takes, on average, 258 days to identify and contain a breach—longer if that breach involves stolen credentials. By the time the incident is identified, there could be considerable damage already done.

So, the important thing is to stop any more disruption or data compromise as quickly as possible. Short-term containment to get a fast handle on the attack can involve some seemingly simplistic, but effective, actions, such as:

  • Disconnecting all compromised devices from the network.
  • Shutting down infected servers.
  • Isolating impacted network segments.
  • Using firewalls.
  • Re-routing internet and network traffic.
  • Connecting to non-compromised backup systems until the attack is contained on the main network.

Long-term Containment

Once the impacted area has been isolated from the rest of the network, the incident response team can then begin implementing long-term containment solutions until they are restored to normal operations. Long-term containment strategies include:

  • Network segmentation. By dividing the network into isolated zones to limit the spread of the attack, unaffected critical systems can keep running.
  • Monitoring enhancements. Increasing the levels of monitoring and logging of both the isolated areas and the network as a whole allows suspicious behaviors and activity to be tracked better.
  • Access restrictions. Limiting access controls in any affected area of the system to just the highest need levels reduces the number of people working within the system.
  • Threat-hunting tools. Deploying threat-hunting tools is important to search for more malicious activity that might have been missed in earlier identification rounds.

Again, containment strategies will depend on the type of cyberattack that has occurred and how long the attack has been live on your system. The incident response team will determine those strategies based on identification scoring.

Once containment is achieved, the incident response team will move on to Phase 4, eradication.

Category: Cybersecurity
Last Updated: On February 04, 2025