Containment Strategies — Short-Term vs Long-Term

Containment is the most time-critical phase of incident response — it is the moment when you stop an active attack from spreading further through your environment. Getting containment wrong, whether by acting too slowly or too aggressively, can mean the difference between a contained incident and a catastrophic breach.

Short-Term Containment

The immediate goal is to stop the bleeding. Short-term containment actions are taken within minutes to hours of detecting an active threat:

• Network isolation: Disconnecting compromised systems from the network to prevent lateral movement.
• Account disabling: Locking compromised user accounts and revoking active sessions.
• Firewall rules: Blocking known attacker IP addresses and command-and-control domains.
• Email quarantine: Blocking delivery of phishing emails identified as part of the attack.

Short-term containment is about speed, not perfection. The priority is to limit the blast radius while preserving evidence for investigation.

Long-Term Containment

Once the immediate threat is contained, long-term containment addresses the root cause and prepares for full remediation:

• Patching vulnerabilities: Applying security updates that the attacker exploited to gain access.
• Password resets: Forcing credential changes for affected accounts and potentially all accounts if the scope is uncertain.
• Architecture changes: Implementing network segmentation or access controls to prevent the same attack path.
• Monitoring enhancement: Deploying additional detection rules specific to the attacker’s tactics.

Action Steps

• Ensure your IR plan includes pre-authorised containment actions — your team should not need executive approval to isolate a compromised system.
• Document decision criteria for major containment actions like taking customer-facing systems offline.
• Test containment capabilities: can your team actually isolate a system within 15 minutes?