Containment is the phase where the SOC prevents an active incident from spreading, causing further damage, or escalating.
The goal is to stabilize the environment, stop attacker activity immediately, preserve evidence, and prepare for eradication.
Containment is performed quickly and decisively because every second of attacker dwell time increases the impact of the breach.
Below is a full-scale, practical containment guide used in SOC and IR operations.
Understanding Containment
Containment stops the following:
-
Ongoing lateral movement
-
Data exfiltration
-
Ransomware encryption
-
Malware propagation
-
Credential theft
-
Privilege escalation
-
Active C2 communication
Containment actions are chosen based on:
-
Severity
-
Scope
-
Access gained by the attacker
-
Tools used
-
Business impact
-
Endpoint role (server, workstation, domain controller)
Containment Categories
Containment actions fall under three levels.
Immediate Containment
Performed as soon as malicious activity is confirmed.
Includes:
-
Kill malicious processes
-
Disable suspicious accounts
-
Block C2 IPs/domains
-
Cut active sessions
-
Stop scheduled tasks or services
-
Terminate malware scripts
Immediate containment prevents the attacker from continuing their chain.
Short-Term Containment
Stabilizes the environment while keeping systems usable.
Includes:
-
Isolate affected endpoints
-
Disable compromised VPN access
-
Revoke tokens or API keys
-
Restrict outbound connections
-
Disable SMB/WinRM/SSH temporarily
-
Remove attacker persistence
This keeps the business running while limiting attacker access.
Long-Term Containment
Hardens the system and removes attacker access over longer periods.
Includes:
-
Patch vulnerable systems
-
Update firewall rules
-
Apply security baselines
-
Reset credentials across environment
-
Fix misconfigurations
-
Adjust SIEM and EDR policies
This ensures the attacker cannot return.
Containment Process (SOC Workflow)
SOC teams follow a precise sequence.
Step 1 — Confirm Malicious Activity
Analyst validates:
-
Process trees
-
Network spikes
-
Suspicious commands
-
Lateral movement signs
-
Data transfer patterns
Example indicator:
powershell.exe -enc + outbound traffic every 30 seconds
Step 2 — Identify Affected Hosts
Determine:
-
Initial compromised machine
-
Any lateral movement targets
-
Systems showing communication to the same IOC
-
Users associated with malicious activity
SIEM and EDR queries help identify the blast radius.
Step 3 — Perform Immediate Containment Actions
Examples:
-
Kill malware process
-
Stop Powershell or cmd session
-
Block malicious IP/domain
-
Remove scheduled task
-
Disable attacker-created accounts
These actions slow or stop the attacker.
Step 4 — Isolate Hosts (If Required)
Isolation prevents spread without shutting down the machine.
Methods include:
-
EDR isolation
-
Firewall segmentation
-
Network quarantine VLAN
-
VPN disconnection
Isolation keeps the machine running but cuts all communication except to the EDR platform.
Step 5 — Preserve Evidence
Before major actions like reboot or cleanup, SOC preserves data.
Collect:
-
Memory snapshot
-
EDR artifacts
-
Suspicious binaries
-
Log files
-
PCAP capture
-
Registry artifacts
This evidence is required for RCA and prevention work.
Step 6 — Remove Attacker Access
Actions include:
-
Disable compromised user accounts
-
Reset passwords
-
Remove malicious SSH keys
-
Revoke OAuth tokens
-
Remove persistence from registry or crontab
-
Disable malicious services
This ensures the attacker cannot re-enter after containment.
Step 7 — Communicate With Internal Teams
SOC informs:
-
IT operations
-
Network team
-
Management
-
IR team
-
Application owners
Containment actions must not disrupt critical services accidentally.
Practical Containment Scenarios
Scenario 1 — Ransomware Detected
Actions:
-
Disconnect infected endpoints
-
Stop encryption processes
-
Block outbound C2 traffic
-
Disable compromised accounts
-
Stop SMB traffic temporarily
Scenario 2 — Malware Infection From Phishing
Actions:
-
Kill malicious process
-
Isolate the endpoint
-
Block domain and IP indicators
-
Revoke user credential tokens
-
Scan inbox for related emails
Scenario 3 — Lateral Movement (PsExec/WinRM)
Actions:
-
Disable admin accounts used
-
Block remote management protocols
-
Isolate affected machines
-
Kill remote execution sessions
-
Reset high-privilege credentials
Scenario 4 — Credential Theft Detected in LSASS
Actions:
-
Immediately isolate host
-
Reset affected user accounts
-
Enforce MFA
-
Block attacker IP
-
Deploy memory collection for forensics
Containment Mistakes to Avoid
-
Rebooting before taking memory snapshot
-
Killing the wrong processes
-
Blocking the wrong IP range
-
Resetting passwords too early and alerting attackers
-
Deleting malware before collecting samples
-
Taking containment actions without documenting steps
-
Failing to communicate with IR and network teams
Containment must be controlled, not chaotic.
Analyst Checklist for Containment
-
Validate threat
-
Identify affected machines
-
Kill malicious processes
-
Block related indicators
-
Isolate endpoints if needed
-
Preserve evidence
-
Remove attacker persistence
-
Revoke access
-
Document every action
This ensures containment is effective and repeatable.
Intel Dump
-
Containment prevents attacker progress by killing processes, blocking connections, and isolating hosts.
-
Actions include immediate, short-term, and long-term containment.
-
SOC workflow: validate → identify hosts → contain → isolate → preserve evidence → remove access.
-
Key techniques include blocking IOCs, disabling accounts, stopping services, and restricting network access.
-
Proper containment requires coordination, documentation, and evidence preservation.