“Isolate everything” sounds decisive until the affected network supports patient care, manufacturing, identity, communications, or the systems needed to recover. Waiting for certainty is equally dangerous: encryption can continue, privileged access can spread, and backup infrastructure can be damaged while the team debates scope.
1. Define the containment objectives
Containment is not one action. The incident commander and technical leads should state which attacker capability each action is intended to remove:
- Stop active encryption and destructive execution.
- Interrupt lateral movement and remote administration.
- Invalidate compromised human and machine identities.
- Protect identity, virtualization, security-management, and backup control planes.
- Preserve volatile and centralized evidence.
- Maintain essential safety and business functions.
Every decision record should identify the affected scope, expected security benefit, operational impact, approver, assumptions, validation signal, and next review time.
2. Work the first four hours deliberately
These windows are prioritization guidance, not universal service-level targets. Active encryption, safety implications, or control-plane compromise can justify immediate escalation.
| WINDOW | TECHNICAL PRIORITIES | DECISION OUTPUT |
|---|---|---|
| 0–15 min | Validate the signal in EDR and target-system logs; open the incident record; assign command; preserve UTC timestamps; identify the first affected host, user, and process tree. | Confirmed incident, initial scope, authority to act |
| 15–30 min | Isolate confirmed hosts; disable or restrict affected identities; revoke active sessions; block known infrastructure; protect EDR, identity, virtualization, and backup consoles. | Initial attacker capability reduced |
| 30–60 min | Hunt remote execution and privileged authentication; identify encryption paths; restrict SMB, RDP, WinRM, WMI, SSH, VPN, and management channels according to observed behavior. | Propagation paths mapped and segmented |
| 1–4 hr | Acquire priority evidence; rotate emergency credentials from clean systems; validate backup immutability; establish clean administration; prepare staged recovery and continuous hunting. | Stable containment state with recovery options |
3. Contain the blast radius, not just the endpoint
The visibly encrypted host is often the least important part of the architecture. Responders must determine whether the attacker can still operate through identity, administration, virtualization, network, or backup control planes.
The numbered cuts are ordered by urgency, not organizational ownership: isolate active execution, revoke the authority behind it, protect recovery, segment propagation paths, then establish a clean recovery enclave.
4. Use the tools as control surfaces
| CAPABILITY | CONTROL SURFACES | VALIDATION EVIDENCE |
|---|---|---|
| Endpoint containment | EDR isolation, host firewall, NAC, switch-port controls | EDR heartbeat retained; prohibited connections fail; no new malicious child processes |
| Identity containment | AD/IdP disablement, session revocation, conditional access, privileged-role restriction | Authentication failures, token revocation, no new ticket or session issuance |
| Network segmentation | Firewall, VLAN, NAC, VPN, DNS, proxy, egress controls | Flow logs and firewall denies match the intended cut |
| Investigation | SIEM, EDR telemetry, Sysmon, Windows Event Logs, Velociraptor, KAPE, osquery | Correlated process, identity, network, and persistence timeline |
| Cloud and control plane | Cloud audit logs, sign-in telemetry, workload identity, virtualization administration | No unauthorized control-plane changes or continuing privileged sessions |
| Backup protection | Immutability controls, vault isolation, administrative audit, credential separation | Restore points intact; deletion paths blocked; clean administrators established |
Console success messages are not proof of containment. Validate the effect in downstream telemetry and the target system. A host reported as isolated may retain management exceptions; a password reset may leave sessions, Kerberos tickets, OAuth grants, API keys, certificates, and service credentials active.
5. Preserve evidence according to volatility
Collect quickly when time and safety permit
- Memory and active network connections
- Process trees, loaded modules, and command execution
- Logged-on sessions and token or ticket state
- EDR live-response artifacts and volatile malware configuration
- Active shares, remote sessions, and encryption handles
Protect centralized evidence
- Identity provider and directory audit logs
- SIEM and EDR event stores
- Cloud and virtualization control-plane events
- Firewall, DNS, proxy, VPN, and NAC telemetry
- Backup-console and immutable-storage audit logs
Do not delay an urgent containment action merely to collect perfect evidence. Record what was lost, why the action was necessary, and which alternative evidence sources remain.
6. Measure whether containment worked
Do not declare containment because encryption appears to have stopped. Define an observation window and require multiple independent signals:
- No newly encrypted or impacted hosts during the observation period.
- No continuing malicious remote execution or lateral movement.
- Compromised sessions, credentials, and delegated access are invalidated.
- Administrative protocols and affected trust paths are restricted.
- Backup systems are isolated, immutable, and independently administered.
- EDR and centralized logging remain healthy across the contained scope.
- Known persistence is removed or rendered unable to execute.
- Responders have clean identities, workstations, and communication channels.
7. Use technical recovery gates
Reconnection is a controlled change, not the end of isolation. Require evidence that:
- The initial access path and demonstrated propagation paths are addressed.
- Persistence is removed and high-risk identities are reset from trusted systems.
- Restoration sources and golden images are validated.
- Monitoring is active before network access is restored.
- Recovery occurs in stages: identity and management, core dependencies, critical applications, then broader user access.
- Rollback to isolation remains possible at every stage.
- The accountable business owner accepts documented residual risk.
Ransomware containment remains a business decision because every technical cut changes operational risk. A mature playbook makes that tradeoff explicit while giving responders the architecture, telemetry, authority, and verification criteria to act under pressure.