Skip to main content

Identify and Contain an Incident

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe how to detect cyber incidents.
  • Define the objectives of incident response.
  • Explain how to triage and contain the cyber incident.

Detect Cyber Incidents

Now that you know how to prepare for incident response, you probably want to know how to identify and contain an incident when one occurs. As an incident responder, you aim to contain and remediate events that occur outside of normal operations and recognize if these deviations are security incidents. You also determine the criticality of any incidents that occur. You detect cyber incidents by: 

  • Monitoring and logging all areas within the IT infrastructure of your organization (especially those assets you identified as critical during the preparation phase).
  • Analyzing events from log files, alerts, or error messages and correlating them against the suspected incident.
  • Comparing all events and logs to a standard baseline that systems operations staff should set up.
  • Observing other anomalies in the environment.

An employee or customer may be the first person to notice an incident is occurring and reports to a supervisor, help desk, or a security contact that something unusual is taking place with their use of an IT resource or account. Initial notification can also come in the form of an automated alert that an analyst in the security operations center responds to. 

The supervisor, help desk, or security analyst investigates further, and if they believe an incident has occurred, they notify the incident response team (IRT) to further investigate and contain the incident. Once the IRT is triggered, the team members execute the incident response (IR) plan, to include the communications plan. 

Remember, having an incident response plan means the right people with the right skill sets and experience know what procedures to follow to contain a cybersecurity threat. You communicate clearly during the incident, and engage the right expertise to ensure the incident is resolved as quickly as possible, with as little impact as possible to the business and customers. 

To assist in the response, you help establish the command center during the preparation phase, and in identifying and containing the incident you support its operation. This can be an internally managed Security Operations Center or as simple as a senior manager and support staff in a conference room. 

Define the Cyber Incident Response Objectives

Once you detect an incident, you then work to establish the timeline of the incident, including this information. 

  • Date/time reported and by whom
  • Date/time the attacker established a foothold in your system
  • Date/time the attacker launched the attack
  • Events that transpired: Was data stolen or modified? Was there a system outage?

There are several objectives of incident response, depending on the severity of the incident and what parts of the organization are impacted. Some common objectives include: 

  • Stop the damage of the incident.
  • Ensure it does not intrude further into your systems.
  • Bring the system back online securely.
  • Notify impacted parties.
  • Develop incident-specific communications.
  • Get back to normal operations.
  • Understand any legal ramifications.
  • Identify damage to the business and reputation.
  • Prevent the incident from reoccurring.

Triage and Contain the Cyber Incident

One of the most immediate objectives of incident response is performing triage, or stopping the damage, to prevent any further harm from the incident. Triage involves understanding the incident and its impact on operations and the business. In performing triage, you capture and analyze data and information in order to:

  • Identify affected assets.
  • Identify the risk or vulnerability that caused exploitation.
  • Identify the size and scope of the incident.

You then contain and mitigate the incident to prevent the spread of problems. Your goal is to limit the scope and severity of the incident’s impact. This may include stopping the lateral movement of the incident, in which an attacker leverages a foothold in one system to gain unauthorized access to another. In order to neutralize the threat, you work to contain and isolate infected hosts and network segments, and prevent the incident from escalating. 

Short-Term Containment

Containment can be short-term and long-term. Short-term containment allows you to limit the damage before it gets worse. You might work to isolate the impacted network/network segment by preventing data from flowing outside of impacted systems. You isolate and contain potential threat sources—for example by revoking system access of a compromised account. You also work to contain the vulnerability that caused exploitation for remediation. This may include, for example, taking the system and any other systems or networks found to contain this vulnerability offline for a period of time until the system owner can apply a patch. In general, short-term containment involves applying temporary fixes to affected systems and redeploying clean systems. 

You also work to discover and kill covert channels of communication. This could include if an attacker has established an external connection to a remote server to exfiltrate data. You may need to block external IP addresses, domains, URLs, emails, or actors that may have caused the exploit. You also may need to take down the impacted network, server, or computing system. For example, if malware has impacted one laptop, you may remove the asset’s network access to prevent it from spreading the malware to other assets. This is known as physically isolating the infected endpoint from the network. 

A computer with a bug inside of a cage, symbolizing containment.

At this stage, you also need to preserve the current state of the evidence before tampering further with affected assets. You do this once you’ve isolated the threat from spreading, but before you do any major cleanup. You may take a forensic image of the system to preserve evidence for any future legal involvement, and to enable further investigation using an isolated image installed on separate hardware. 

Any restoration activities will involve using a clean baseline image patched and configured before the incident occurred. This can be used as a starting point to wipe and restore the entire disk from a backup or file during the removal and recovery process. 

Long-Term Containment

In performing long-term containment, you focus on further efforts to isolate and eradicate the threat by removing any unauthorized accounts, backdoors, or malware left by the attackers. You work to reconfigure the firewall and network access control lists to prevent future illicit access. You also continue to intensely monitor the affected systems and networks to identify further malicious activity or indicators. 

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the activity in the left column next to the matching containment strategy on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Sum It Up

Great work! Now that you understand how to detect, triage, and contain an incident, it’s next time to explore how to remediate and recover from the incident. Let’s go!

Resources

Keep learning for
free!
Sign up for an account to continue.
Sign Up Login
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities
Skip for now