Containment is the phase where the SOC stops the attacker’s activity, prevents further damage, and limits the spread of the incident.
It is the most time-critical stage of incident response.
The goal is not to fix everything immediately, but to freeze the attack where it is, stop lateral movement, and prevent data loss or escalation.
This chapter explains containment in full-depth SOC style, covering host-level actions, network-level controls, identity lockdown, EDR-based response, SIEM-driven containment, cloud containment, and real incident workflows.
Purpose of Containment
Containment answers one question:
How do we stop the attacker right now?
SOC analysts use containment to:
-
Stop active malware
-
Block C2 communication
-
Prevent lateral movement
-
Stop credential theft
-
Limit blast radius
-
Secure accounts
-
Prevent data exfiltration
-
Protect critical assets
Containment is immediate, not long-term remediation.
Types of Containment
Containment is divided into two categories:
Immediate Containment
Performed instantly to stop ongoing malicious activity.
Examples:
-
Isolate host
-
Kill malicious processes
-
Block IP/domain
-
Disable account
-
Remove session tokens
-
Block outbound traffic
Strategic/Long-Term Containment
Applied after initial control to prevent reinfection.
Examples:
-
Patch vulnerable software
-
Disable risky protocols
-
Reconfigure firewall rules
-
Strengthen authentication
Immediate Containment Actions (SOC Practical)
1. Host Isolation
Most EDR solutions provide host isolation.
Purpose:
-
Cut network communication
-
Stop C2 beaconing
-
Block lateral movement
Used when:
-
Malware is active
-
C2 traffic detected
-
Credentials compromised
-
Lateral movement started
Example:
CrowdStrike → "Network Containment"
SentinelOne → "Quarantine Device"
2. Killing Malicious Processes
Examples of processes to kill:
-
Encoded PowerShell
-
Unknown executables in Temp
-
RATs (njRAT, AsyncRAT, Remcos)
-
Miners (xmrig)
-
Ransomware (vx.exe, encrypt.exe)
EDR command:
Terminate process → payload.exe
3. Blocking Malicious IPs/Domains
Firewall or proxy block list:
-
C2 servers
-
Phishing URLs
-
Malware-hosting domains
-
Newly registered suspicious domains
Example command:
block 91.22.113.10
4. Disable Compromised Accounts
Disable account when:
-
Brute force succeeded
-
Privilege escalation attempted
-
Unusual login locations seen
-
MFA bypass detected
Example:
Disable user: j.singh
Reset password immediately
5. Revoke Active Sessions
Terminate:
-
VPN sessions
-
SSO sessions
-
Cloud API tokens
-
Browser SSO cookies
Prevents attackers from using stolen tokens.
Example:
Azure AD → Revoke Sign-In Sessions
AWS → Invalidate STS tokens
6. Contain Lateral Movement
Immediate steps:
-
Block SMB
-
Block RDP
-
Disable PsExec tools
-
Restrict WinRM
-
Stop remote PowerShell
Example:
Disable RDP on compromised host
7. Stop Data Exfiltration
Actions:
-
Block outbound traffic spikes
-
Block specific ports (like 443 to suspicious IPs)
-
Monitor large DNS queries
-
Inspect active cloud sync sessions
Example:
Block outbound to sync-drive-storage[.]net
Containment Using Logs, SIEM & EDR
EDR Containment
-
Host isolation
-
Kill processes
-
Block file hashes
-
Quarantine binaries
-
Restrict network output
SIEM Containment
Using SOAR:
-
Block IP from SIEM alert
-
Disable account automatically
-
Create firewall rule
-
Trigger script to isolate device
Firewall/Proxy Containment
-
Immediate IP/domain block
-
GEO blocking
-
Protocol restriction
Cloud Containment
Example (Azure/AWS/GCP):
-
Disable IAM user
-
Remove keys
-
Detach policies
-
Restrict subnet
-
Quarantine VM
Containment Scenarios (Real SOC Examples)
Scenario 1 — Phishing Malware Infection
Indicators:
-
WINWORD.exe → powershell.exe
-
Download from domain
Containment:
-
Kill PowerShell
-
Isolate host
-
Block domain
-
Disable user account temporarily
Scenario 2 — Credential Theft / LSASS Access
Indicators:
-
Suspicious access to LSASS
-
Memory dump tools seen
Containment:
-
Isolate host
-
Reset compromised user passwords
-
Revoke sessions
-
Block attacker IP
Scenario 3 — Ransomware Execution
Indicators:
-
rapid file renaming
-
unusual extensions
-
high CPU usage
-
suspicious process path
Containment:
-
Isolate host
-
Block network shares
-
Kill ransomware process
-
Disable lateral movement services
Scenario 4 — C2 Beaconing
Indicators:
-
Outbound to known C2 IP
Containment:
-
Block IP
-
Isolate host
-
Query EDR for additional infected hosts
Scenario 5 — Cloud Account Compromise
Indicators:
-
Impossible travel
-
Login from foreign region
-
Sensitive API call
Containment:
-
Disable cloud account
-
Revoke all sessions
-
Rotate access keys
-
Apply MFA
Containment Workflow (SOC Standard)
Step 1 — Identify impact
Which host, which user, what processes.
Step 2 — Confirm malicious behavior
Validate with logs, EDR, TI.
Step 3 — Select containment type
Immediate or strategic.
Step 4 — Apply containment
-
Isolate
-
Block
-
Kill processes
-
Disable identity
Step 5 — Verify containment worked
Check:
-
No more C2 traffic
-
No suspicious processes
-
No new logs matching IoCs
Step 6 — Document containment actions
Include:
-
User
-
Host
-
Processes stopped
-
IPs blocked
-
Tools used
Intel Dump
-
Containment stops attacker activity and limits damage.
-
Immediate containment includes isolating hosts, killing processes, blocking IPs/domains, disabling accounts, and revoking sessions.
-
Long-term containment focuses on preventing reinfection through patching and configuration changes.
-
SOC uses EDR, SIEM, firewall, proxy, and cloud controls for containment.
-
Containment must be fast, targeted, and logged for forensic accuracy.