Peter Evans 
In the world of digital forensics and incident response (DFIR), containment is all about taking immediate action to try and halt or at least add more speed bumps in the way of the attacker. Think of it as putting pressure on a wound, it’s not about fixing the problem entirely, but rather slowing the damage and hopefully preventing it from spreading. Just like a first responder stabilizing a patient, the goal is to stop things from getting worse which gives your time to figure out a long-term solution.
When Does Containment Occur
Containment can happen at any point during incident response and is designed to stop the attacker or threat from causing further damage. It’s quick, decisive, and usually low-cost to implement (at least in terms of direct expenses). While containment may not come with an immediate price tag, it can have an impact on business operations that will have a cost associated to it. This is where risk assessment comes in, to weigh the pros and cons of taking immediate actions and what those actions should be versus allowing the situation to continue unchecked.
Without containment, you’re leaving the door wide open for the attacker to continue wreaking havoc. Whether it’s an attacker continuing to conduct recon of your environment, malware spreading, an attacker siphoning sensitive data, or an internal threat escalating their privileges, containment helps minimize these risks while buying you time to figure out your next move.
Here are a few examples of quick containment actions:
- Disabling user accounts – If an employee’s account is compromised, disabling it prevents further unauthorized access. Also disabling accounts of users that are no longer employed. This is all about reducing the attack surface.
- Changing passwords – A simple but effective move to limit access.
- Enable MFA / Reset MFA Tokens – Similar to the actions of changing passwords, but is more labor intensive if you are having to enable MFA.
- Isolating systems – Disconnecting or network isolating systems via EDR that are identified as infected or compromised from the network to prevent lateral movement. This is not referring to powering off the system. If possible, always leave live systems live. This will be important later during collection and analysis.
- Blacklisting IP addresses – Blocking known malicious IP addresses that are being used by attackers to communicate with your network.
These are just a few actions you can take fast, usually with minimal investment or resources. But remember, containment is not the end solution—it’s just the pause button, allowing you to get your bearings.
Containment vs. Business Impact: The Risk Trade-off
Every organization faces this tricky balance: does the cost of containment outweigh the risk of doing nothing? Often, you’ll need to ask the question: “If we contain this, how will it affect the business?” This is a topic that will come up again during the remediation phase.
Consider these examples:
- Blocking a critical server may stop an attack, but could it also prevent essential operations from running?
- Disabling employee access could keep sensitive data safe, but does it also halt a key project?
- Blocking a port in the firewall may slow the attacker down, but may also prevent other business functions that require the same port for different network services?
This is where a risk assessment comes into play. The key question is whether the risk of letting an issue continue outweighs the potential business disruption. Typically, these high-stakes decisions rise above our pay grades. Our job is to lay out the facts: how bad could the situation get if we don’t contain, and what are the possible impacts if we do? Remember we are here only to present the facts as we find them and discuss potential impacts. Let the victim or higher ups have discussions as to what should be done.
Facts and Figures: The Cost of Not Containing
When containment is delayed or skipped, the financial cost of a data breach skyrockets. According to IBM’s 2024 Cost of a Data Breach Report, the global average cost of a data breach hit $4.88 million, a 10% increase over the year before. Fast containment significantly assists in reducing the size of this bill. Breaches with a life cycle 200 days or less save organizations an average of $1.39 million compared to those that take longer to control .
The longer you wait to contain an incident, the more severe the damage can become:
- Increased data loss – More time for the attacker to exfiltrate sensitive information.
- Greater reputational damage – The longer an attack lingers, the bigger the headlines, and the more your customers lose trust.
- Wider network compromise – Uncontained threats can spread across your systems like wildfire.
Wrapping It Up: Containment is the Pause Button
At the end of the day, containment is your chance to stop the bleeding and stabilize the situation. It doesn’t solve the underlying issue, that is what remediation is for, but it buys you the time you need to investigate and address the problem fully. So, the next time an incident comes across your desk, remember: contain it, assess the risk, and help your organization / client make smart, informed decisions that can minimize the impact of a cyber attack.
