What must be done during incident containment?

During incident containment, the primary objective is to minimize damage and prevent further impact from a security incident. Temporarily shutting down affected systems is a critical step in this process because it helps to isolate the incident, stopping any ongoing damage, data loss, or information leakage. By taking affected systems offline, the incident response team can limit the attack's scope and protect other assets within the network.

This action allows for a controlled environment where investigators can assess the situation without the risk of the attacker exploiting the systems further or spreading to other areas of the network. It serves as a practical immediate response to gain control over the incident and sets a foundation for further investigation, analysis, and ultimately resolution.

Though implementing long-term solutions, determining the root cause, and conducting full system recovery are important components of incident management, they typically occur after the initial containment has been effectively achieved. Focusing solely on containment ensures that the immediate threat is addressed first, providing a clear pathway to subsequent phases of incident response.