Containment, Eradication, and Recovery
Apply containment strategies (network isolation, account lockout), remove malware footholds, restore from clean backups, and verify system integrity.
Three Phases After Detection
Once an incident is confirmed and scoped, the response moves through three consecutive phases: Containment (stop the damage from spreading), Eradication (remove all attacker footholds from the environment), and Recovery (restore systems to normal operation and verify integrity). Each phase has distinct objectives and verification criteria. Moving to recovery before completing eradication is a common error that leads to re-infection from remaining attacker persistence mechanisms.
Short-Term vs Long-Term Containment
Containment happens in two stages. Short-term containment provides immediate stabilization — isolating affected systems from the network, blocking attacker IP addresses at the firewall, disabling compromised accounts — to stop active damage. Long-term containment implements more durable controls that allow the organization to continue operating while investigation and eradication proceed — for example, segmenting the compromised network zone rather than taking it offline entirely.
# Short-term containment actions
# 1. Isolate compromised host from network (EDR isolation):
falconctl -s network_contain --aids=<AID1,AID2>
# 2. Block attacker IP at perimeter firewall:
iptables -I INPUT -s 198.51.100.10 -j DROP
iptables -I OUTPUT -d 198.51.100.10 -j DROP
# 3. Disable compromised Active Directory account:
Disable-ADAccount -Identity 'compromised_user'
# 4. Reset Kerberos tickets (force re-auth):
# Reset krbtgt password TWICE (invalidates all Golden Tickets)All lessons in this course
- Preparation: IR Plans, Playbooks, and Teams
- Detection and Analysis: Identifying Real Incidents
- Containment, Eradication, and Recovery
- Post-Incident Review and Lessons Learned