13.4 Containment

Once an incident has been established as genuine, the next phase, containment, begins. The role of containment is simply to ensure that the affected system is unable to affect other systems on your network. This can be most readily accomplished by disconnecting it from the network, isolating the affected system via a firewall or other device, or simply shutting down the system.

If more information is required about the attack, then isolating the system from others via a firewall or VLAN (Virtual LAN — a network logically divided using switch software) might be the simplest option. Network monitors can then be attached to the device to monitor packets.

Of all the options, shutting down the affected system to preserve data is one of the most contentious issues in incident response. While shutting down the affected system is a sure way of ensuring that no other parts of your network are affected, it often destroys important evidence. At the very least, the contents of the volatile memory will be lost and the file system of the hard drives will be changed upon start-up. If catching the attacker is the primary goal, then shutting down the system may not be the best option. On the other hand, if critical data is at risk, then shutting down the system may be the best way to protect it.

At this point, the training of the incident response team will be crucial. The optimal compromise when in doubt about shutting down the system is to quickly image the contents of the volatile memory and preserve the integrity of the hard drive after the system is shut down.