containing-active-breach

# Containing Active Breaches ## When to Use - A confirmed intrusion is in progress with an active adversary on the network - Malware is spreading laterally across endpoints or servers - A compromised account is being used for unauthorized access to systems - Ransomware encryption has been detected and is actively propagating - An attacker has established command-and-control communications from internal hosts **Do not use** for post-incident cleanup when the adversary is no longer active; use eradication procedures instead. ## Prerequisites - Confirmed incident classification with P1 or P2 severity from triage - EDR console access with host isolation capabilities (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne) - Network firewall and switch management access for segmentation - Active Directory or identity provider administrative access for credential actions - Pre-approved containment authority documented in the incident response plan - Evidence preservation plan to avoid destroying forensic artifacts during containment ## Workflow ### Step 1: Assess Containment Scope Before taking containment actions, map the full scope of compromise to avoid partial containment that alerts the adversary: - Identify all confirmed compromised hosts via EDR telemetry and SIEM correlation - Map lateral movement paths using authentication logs (Windows Event ID 4624 Type 3 and Type 10) - Identify all compromised credentials (check for pass-the-hash, Kerberoasting, DCSyn...