Containment Options
Four containment strategies, each scored for fit and weighed against business continuity, evidence integrity and recovery. Route any option into the approval workflow — nothing executes against real systems.
Targeted Containment
RecommendedSurgically isolate the compromised endpoint and identity while explicitly protecting the payroll processing path.
- Network-isolate FIN-EP-204 (management channel retained) after memory capture.
- Disable P. Martin's account; rotate credentials and revoke tokens.
- Disable the mailbox forwarding rule and quarantine the inbox rule set.
- Pin svc-finbatch under monitoring so payroll batch can still run.
Removes the most probable propagation routes while preserving payroll.
Moderate — P. Martin offline; payroll path deliberately kept intact.
Low/Moderate — memory + logs captured before isolation.
Moderate — credential reset and endpoint review required.
Re-enable account post-investigation; remove isolation; restore delegated access.
Staged Containment
Time-boxed phased plan: contain the identity and endpoint now, verify lateral movement, then decide whether to escalate before the payroll window.
- Stage 1 (now): revoke sessions, disable mailbox rule, capture endpoint memory.
- Stage 2 (+30m): isolate FIN-EP-204; confirm/deny FIN-FS-01 compromise.
- Stage 3 (decision gate): escalate to aggressive only if payment access is confirmed.
- Hold payroll go/no-go review at T-2h with Business Owner.
Balances containment with evidence quality and payroll continuity.
Low→Moderate, scaling only if the threat is confirmed to spread.
Low — sequencing protects volatile artifacts at each stage.
Moderate — scoped to whichever stages are actually triggered.
Each stage is independently reversible from its pre-stage snapshot.
Minimal Containment
Lowest-disruption posture: increase monitoring and revoke the active session without isolating the endpoint or breaking the payroll path.
- Revoke P. Martin's active sessions and force re-authentication.
- Disable the suspicious mailbox forwarding rule (after snapshotting it).
- Raise endpoint + identity alerting to high-fidelity watch.
Cuts the live session and the exfil channel with minimal collateral.
Negligible — payroll and payments remain available.
Low — preserves most volatile artifacts in place.
Trivial — session/token changes only.
Re-enable accounts/rules from snapshot; clear elevated alerting.
Aggressive Containment
Maximal blast-radius reduction: broad isolation across finance assets and a freeze on the payment path, accepting business disruption.
- Isolate FIN-EP-204 and FIN-FS-01; sever SMB sessions.
- Disable P. Martin and svc-finbatch; suspend payment-initiation entitlements.
- Temporarily freeze the payment gateway path pending verification.
- Force org-wide reauthentication for the finance group.
Greatest reduction in spread and fraud risk across finance.
High — payroll run at risk; payments frozen; finance group disrupted.
Moderate — fast teardown risks losing some volatile artifacts.
High — multi-system restoration and revalidation needed.
Staged restoration with payroll prioritized; lift payment freeze after gateway review.
Side-by-side comparison
| Dimension | AMinimal Containment | BTargeted Containment | CAggressive Containment | DStaged Containment |
|---|---|---|---|---|
| Fit score | 53/100 | 80/100 | 43/100 | 72/100 |
| Confidence | 58/100 | 84/100 | 47/100 | 79/100 |
| Risk of delay | 42/100 | 71/100 | 35/100 | 55/100 |
| Security benefit | Cuts the live session and the exfil channel with minimal collateral. | Removes the most probable propagation routes while preserving payroll. | Greatest reduction in spread and fraud risk across finance. | Balances containment with evidence quality and payroll continuity. |
| Business impact | Negligible — payroll and payments remain available. | Moderate — P. Martin offline; payroll path deliberately kept intact. | High — payroll run at risk; payments frozen; finance group disrupted. | Low→Moderate, scaling only if the threat is confirmed to spread. |
| Evidence impact | Low — preserves most volatile artifacts in place. | Low/Moderate — memory + logs captured before isolation. | Moderate — fast teardown risks losing some volatile artifacts. | Low — sequencing protects volatile artifacts at each stage. |
| Recovery impact | Trivial — session/token changes only. | Moderate — credential reset and endpoint review required. | High — multi-system restoration and revalidation needed. | Moderate — scoped to whichever stages are actually triggered. |
| Approvals | IR Lead, Incident Commander | IR Lead, Incident Commander, Business Owner | IR Lead, Incident Commander, CISO, Business Owner, Legal, Executive | IR Lead, Incident Commander, Business Owner |
| Rollback plan | Re-enable accounts/rules from snapshot; clear elevated alerting. | Re-enable account post-investigation; remove isolation; restore delegated access. | Staged restoration with payroll prioritized; lift payment freeze after gateway review. | Each stage is independently reversible from its pre-stage snapshot. |