During the “containment” phase of incident response, the first priority is to stop the attacker’s lateral movement while allowing unaffected business services to continue. The most effective and least disruptive containment technique is to logically or physically isolate only the compromised network segment or host(s). This confines the adversary, preserves evidence for later analysis, and avoids the wider operational outage that would occur if all access points were shut down. Dumping logs or enabling additional logging are valuable, but neither halts an active attack. (ISO/IEC 27035-1, §7.4; NIST SP 800-61 r2, §3.2.6).

A. Dumping logs gathers evidence but does not stop the ongoing attack or prevent propagation.

C. Enabling trace logging helps investigation but delays containment, allowing continued damage.

D. Shutting off all network access points halts the attack but also cripples the entire online business, violating availability requirements and exceeding necessary scope.

1. ISO/IEC 27035-1:2016 Information security incident management

§7.4 “Containment: isolate affected networks/systems.”

2. NIST Special Publication 800-61 Revision 2

“Computer Security Incident Handling Guide

” §3.2.6 Containment Strategies

pp. 29-31.

3. Killcrece

et al.

“State of the Practice of Incident Response Teams

” CMU/SEI-2003-TR-001

§5.2 Containment (Carnegie Mellon University

2003).

4. Purdue University CS590 “Cyber Incident Response” Lecture 4 slides

pp. 12-14: “First action in containment—segment or quarantine affected hosts.”

5. Grimes

J.

& Disterer

G. (2013). “Information Security Incident Response–An Industry Perspective.” Computers & Security

31(2)

113-123. DOI:10.1016/j.cose.2012.12.001 (see §4.2 on network isolation as primary containment).