Containment, Eradication, and Recovery Decisions
Key Takeaways
- Containment limits active harm; the method must fit business impact, safety, and evidence needs.
- Short-term containment buys time fast; long-term containment keeps a system available behind stricter controls until root cause is removed.
- Eradication removes malware, persistence, exploited vulnerabilities, exposed credentials, and unsafe configuration; blocking one indicator is not eradication.
- Recovery must restore only from trusted sources (clean backup, gold image, infrastructure as code) and include validation that the incident does not recur.
- Order of volatility says preserve volatile data (RAM, running processes, network connections) before powering off or reimaging.
Three Distinct Activities
Containment, eradication, and recovery are sequential and related, but they are not interchangeable, and SY0-701 will test whether you can tell them apart. Containment limits active harm. Eradication removes the cause and the attacker's foothold. Recovery restores trusted service. A strong IR answer picks the action that matches the current phase and the risk, not just the action that feels fastest.
Containment Choices and Tradeoffs
| Situation | Containment action | Tradeoff |
|---|---|---|
| Malware beaconing from one laptop | Network-isolate the host in EDR | Fast and targeted, but may tip off the attacker |
| Compromised user account | Disable account, revoke sessions, reset credentials | Stops account use, but may interrupt legitimate work |
| Ransomware on a file server | Block SMB, isolate server, disable suspect service account | Limits spread, but breaks shared file access |
| Malicious IP scanning a web app | Block source at the WAF or firewall | Useful if source is fixed, weak if attacker rotates infrastructure |
| Stolen cloud access key | Disable the key, review recent API calls | Stops key abuse, but apps using it may fail |
Short-term vs. long-term containment
Short-term containment is the immediate action: isolate the host, pull the cable, disable the account. Long-term containment stabilizes operations while you prepare a permanent fix, for example placing a still-needed but vulnerable server behind tighter segmentation and monitoring until a patched rebuild is ready. The exam expects you to recognize that a system sometimes must stay online under stricter controls rather than be torn down immediately.
Isolation, Segmentation, and Sandboxing
Security+ tests several specific containment techniques by name, and knowing the difference between them is worth a question or two. Isolation removes an affected asset from the network entirely so it can do no further harm and reach no further targets; EDR network containment that keeps the management channel alive while cutting everything else is a favorite modern method. Segmentation does not pull the asset offline but confines it to a restricted network zone, often a quarantine VLAN, limiting lateral movement while preserving needed connectivity.
Sandboxing detonates or runs suspicious code in a controlled, instrumented environment so analysts can observe behavior without risking production. A subtle exam trap is choosing full isolation when the scenario stresses that the system controls a safety-critical or revenue-critical process; in operational-technology and healthcare contexts, abruptly isolating a controller can cause physical or patient harm, so segmentation plus monitoring may be the safer, expected answer. Match the containment aggressiveness to the business and safety risk described.
Order of Volatility
Before you power off or reimage, capture evidence in order of volatility, most perishable first. Reaching for the power cord first is a classic wrong answer because it destroys exactly the data forensics needs.
- CPU registers and cache
- RAM (running processes, network connections, decryption keys)
- Temporary files and swap/pagefile
- Disk (data at rest)
- Remote logging and monitoring data
- Physical configuration and archival media
Decision Timeline
Scenario: A manufacturer finds suspicious remote access to a production support server.
| Time | Evidence | Decision |
|---|---|---|
| 14:02 | VPN login from an unusual country using an engineer's account | Raise severity, review identity logs |
| 14:07 | EDR shows a remote shell on the support server | Declare incident, preserve active session detail |
| 14:10 | Server runs reporting, not machinery | Isolate from the VPN path, keep internal reporting available |
| 14:18 | Same account opened the password vault | Disable account, revoke sessions, rotate accessed secrets |
| 15:05 | Persistence found as a scheduled task | Capture evidence, then remove the task |
| 17:40 | Clean rebuild ready | Restore from a known-good image and monitor |
This shows why IR is rarely one action. Pulling the power cord might stop activity but destroys volatile evidence and may cause an unnecessary outage. Leaving the system online preserves evidence but allows continued attacker activity. The incident commander makes a risk-based call with technical and business input.
Eradication Actions
Eradication addresses root cause and footholds: remove malware, delete unauthorized scheduled tasks and services, close vulnerable remote access, patch exploited software, disable rogue accounts, rotate exposed credentials, and remove malicious inbox rules or OAuth grants. Do not confuse blocking an indicator with eradication. Blocking one IP reduces traffic but leaves stolen credentials, persistence, and a vulnerable application intact.
Recovery Actions and Validation
Recovery must use trusted sources: a clean backup, a gold image, infrastructure-as-code redeployment, or a system returned only after verified remediation. Always validate before declaring service restored:
- Confirm patches and configuration fixes are present.
- Confirm malicious accounts, keys, tasks, and services are gone.
- Confirm monitoring and logging are active on the restored asset.
- Confirm business owners can perform required functions.
- Watch for repeat indicators after service returns.
Common Traps
- Reimaging a host before collecting the evidence needed to scope the incident.
- Restoring from a backup that already contains the persistence mechanism.
- Resetting a password but never revoking active sessions and tokens.
- Blocking one domain while ignoring the compromised host that generated the traffic.
- Returning a system to service with no recurrence monitoring.
- Treating containment as proof the incident is over.
A cloud access key is confirmed stolen and currently being used. What is the best immediate containment action?
An analyst must capture evidence from a compromised running server before rebuilding it. Following order of volatility, what should be collected first?
PBQ style: A ransomware process is active on one file server. Order the response actions.
Arrange the items in the correct order