This chapter covers containment and eradication, two critical phases of the incident response process as defined in NIST SP 800-61 Rev 2 and CompTIA CySA+ CS0-003 Objective 3.4. Containment limits the scope of an incident, while eradication removes the root cause from the environment. Approximately 10–15% of exam questions touch on these phases, often requiring you to select the correct containment strategy for a given scenario or identify the proper eradication steps. Mastery of short-term vs. long-term containment, evidence preservation, and system restoration is essential for both the exam and real-world incident handling.
Jump to a section
Imagine a modern naval warship with a fire in the engine room. The ship has automated fire doors that slam shut when heat sensors detect a temperature rise above 150°F. These doors are made of steel and insulated with ceramic fiber, designed to withstand 2,000°F for 30 minutes. When a fire starts, the doors close within 3 seconds, isolating the engine room from adjacent compartments. The ship's damage control team then manually verifies the isolation, deploys portable extinguishers, and begins cooling adjacent bulkheads. The fire doors do not extinguish the fire—they contain it, preventing it from spreading to fuel storage or ammunition magazines. After the fire is suppressed, the team must ventilate the compartment, remove damaged equipment, and repair the fire door mechanism before returning the ship to full operation. In cybersecurity, containment works identically: automated controls (firewalls, network segmentation) isolate a compromised host to prevent lateral movement, while the incident response team investigates and eradicates the threat. The containment mechanism must be fast, reliable, and reversible—just like the fire door—because over-isolation can disrupt business operations, just as sealing too many compartments could sink the ship.
What Are Containment and Eradication?
Containment and eradication are the third and fourth phases of the NIST incident response lifecycle (Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity). Containment focuses on stopping the incident from causing further damage—preventing lateral movement, data exfiltration, or additional system compromise. Eradication removes the threat actor's foothold, including malware, backdoors, persistence mechanisms, and compromised credentials. On the CS0-003 exam, you must understand the difference between these phases and the specific actions taken in each.
The Containment Decision: Short-Term vs. Long-Term
When an incident is confirmed, the incident response team must decide on a containment strategy. The exam tests two primary categories:
Short-Term Containment: Immediate actions to stop the bleeding, often performed without preserving evidence. Examples: disconnecting a system from the network, blocking an IP address at the firewall, or shutting down a service. These actions are fast but may destroy volatile data (e.g., running processes, network connections) and alert the attacker.
Long-Term Containment: More deliberate actions that preserve evidence while maintaining business operations. Examples: applying ACLs to restrict traffic, implementing network segmentation, or deploying honeypots to monitor attacker activity. Long-term containment often uses system isolation via VLANs or SDN micro-segmentation.
The exam emphasizes that short-term containment should be used only when the incident is actively causing damage (e.g., ransomware encrypting files). Otherwise, long-term containment is preferred to gather intelligence.
Key Containment Techniques
1. Network Segmentation and Isolation
Physical Isolation: Disconnect the network cable or disable the switch port. Use shutdown interface command on Cisco switches. This is the most definitive but also most disruptive.
Logical Isolation: Apply firewall rules to block all traffic to/from the compromised host except to a management VLAN. On a Palo Alto firewall, create a security rule with source = compromised IP, destination = any, action = deny.
VLAN Segmentation: Move the host to a quarantine VLAN. On a Cisco switch: switchport access vlan 999 where VLAN 999 is a quarantine VLAN with no default gateway.
Micro-Segmentation: For cloud environments, use security groups (AWS) or network policies (Kubernetes) to restrict traffic at the workload level.
2. System Containment
Disabling Accounts: Immediately disable the compromised user account using Disable-ADAccount -Identity username in PowerShell or via Active Directory Users and Computers. This prevents further authentication.
Killing Processes: Use taskkill /PID [PID] /F on Windows or kill -9 [PID] on Linux to terminate malicious processes. Note: This destroys evidence of the running process.
Uninstalling Malware: For known malware, use wmic product where name="MalwareName" call uninstall or apt-get remove on Linux. However, this may not remove persistence mechanisms.
3. Evidence Preservation Before Containment
When possible, capture volatile data before containment actions destroy it. The order of volatility (RFC 3227) dictates the sequence: 1. Registers and cache 2. Routing table, ARP cache, process table, kernel statistics 3. Temporary file systems 4. Disk 5. Remote logging and monitoring data 6. Physical configuration, network topology
On the exam, you may be asked which data must be collected before disconnecting a system. The correct answer is typically running processes, network connections, and memory contents.
Eradication Steps
Once contained, eradication removes all traces of the incident. The exam expects you to know the following steps in order:
1. Identify the Root Cause
Analyze logs, memory dumps, and disk images to determine how the attacker gained access (e.g., phishing, unpatched vulnerability, weak password).
Use tools like Volatility for memory analysis, Autopsy for disk forensics, and Splunk for log correlation.
2. Remove Malware and Backdoors
Scan with updated antivirus/EDR: Run sfc /scannow on Windows to restore system files, then use MpCmdRun -Scan -ScanType 2 for Windows Defender.
Remove persistence mechanisms: Check common locations:
Windows: HKLM\Software\Microsoft\Windows\CurrentVersion\Run, %AppData%\Microsoft\Windows\Start Menu\Programs\Startup, scheduled tasks (schtasks).
Linux: /etc/rc.local, /etc/init.d/, cron jobs (crontab -l).
Revoke compromised credentials: Reset passwords for affected accounts using net user username newpassword /domain or via Azure AD.
3. Apply Patches and Updates
Install missing security patches. For Windows, use wusa.exe or WSUS. For Linux, yum update or apt upgrade.
Disable unnecessary services and ports. Use netstat -an to identify listening ports and iptables to block them.
4. Verify Eradication
Run a full system scan.
Monitor for recurrence using SIEM alerts.
Perform a vulnerability scan (e.g., Nessus) to ensure no residual weaknesses.
Recovery After Eradication
Recovery is often tested alongside eradication. The goal is to restore normal operations while ensuring the threat is gone. Steps include:
Restoring data from clean backups (verify backup integrity first).
Rebuilding systems from known-good images (preferred for malware infections).
Gradually returning systems to production while monitoring for indicators of compromise.
The Role of Playbooks and Automation
On the exam, you may be asked about the use of playbooks for containment and eradication. A playbook is a documented set of procedures that ensures consistency. For example, a ransomware playbook might include: 1. Isolate infected host (short-term containment). 2. Disable network shares and SMB. 3. Identify the ransomware variant (via file extension, ransom note). 4. Determine if decryption is possible (use NoMoreRansom). 5. Restore from backup (eradication).
Automation tools like SOAR (Security Orchestration, Automation, and Response) can execute containment actions automatically. For instance, if a host triggers a high-severity alert, the SOAR platform can automatically block its IP at the firewall and disable its AD account.
Interaction with Other Technologies
SIEM: Provides alerts that trigger containment actions. For example, a SIEM rule detecting multiple failed logins from a single source can trigger a firewall block.
EDR: Endpoint Detection and Response tools like CrowdStrike or Carbon Black can isolate an endpoint from the network with a single click or API call.
Firewalls and IDS/IPS: Can be used for containment by blocking malicious traffic. However, beware that blocking an IP may not stop a determined attacker using proxies.
Cloud Security Groups: In AWS, you can revoke security group ingress rules to isolate an EC2 instance. Use aws ec2 revoke-security-group-ingress --group-id sg-xxxx --protocol tcp --port 3389 --cidr 0.0.0.0/0.
Common Pitfalls on the Exam
Destroying evidence: The most common mistake is taking containment actions that destroy volatile data before it is collected. The exam will present scenarios where you must choose between immediate isolation (which loses evidence) and evidence capture (which delays containment). The correct answer often depends on the severity: if ransomware is actively encrypting, isolate first; if it's a stealthy APT, capture evidence first.
Incomplete eradication: Leaving backdoors like scheduled tasks or SSH keys. The exam may ask what to check after removing malware—the answer is persistence mechanisms.
Failing to verify eradication: Simply removing malware is not enough; you must verify with scans and monitoring.
Confusing containment with eradication: Containment stops the spread; eradication removes the cause. For example, blocking an IP is containment; removing the malware that caused the C2 connection is eradication.
Detect and Confirm Incident
The process begins when an alert from a SIEM, EDR, or user report indicates a potential incident. The analyst must validate the alert by correlating with other logs (e.g., firewall, DNS, authentication). For example, an EDR alert of a suspicious PowerShell execution should be cross-referenced with network logs to see if there was outbound traffic to a known C2 IP. Confirmation requires at least two independent sources. The NIST definition of an incident is 'a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.' Once confirmed, the incident is assigned a severity level (low, medium, high, critical) based on impact and criticality.
Perform Short-Term Containment
If the incident is actively causing damage (e.g., ransomware encrypting files, data exfiltration in progress), the analyst must act immediately. The most common short-term containment action is to disconnect the affected system from the network. On Windows, this can be done via the GUI (Network & Internet settings) or by disabling the network adapter with `netsh interface set interface name="Ethernet" admin=disable`. On Linux, use `ifconfig eth0 down`. Alternatively, block the system's IP at the firewall: on iptables, `iptables -A INPUT -s 10.0.0.5 -j DROP`. In a cloud environment, revoke security group rules or change the network ACL. This step should take less than 5 minutes. Note: This action destroys volatile data like active network connections and running processes, so it should only be done if the risk of further damage outweighs the loss of evidence.
Collect Volatile Evidence
Before performing long-term containment or eradication, the analyst must collect volatile data from the compromised system. This follows the order of volatility: first, capture memory (RAM) using tools like FTK Imager or `dd if=/dev/mem of=mem.dmp` on Linux. Second, capture network connections with `netstat -anob` on Windows or `netstat -tulpn` on Linux. Third, capture running processes with `tasklist /v` or `ps aux`. Fourth, capture logged-on users with `query user` or `who`. All data should be hashed (SHA-256) and stored on a write-protected drive. This evidence is crucial for root cause analysis and legal proceedings. The exam often asks which data must be collected before disconnecting a system—memory is the most volatile and must be collected first.
Implement Long-Term Containment
After evidence collection, implement long-term containment to allow continued monitoring while preventing further damage. This often involves network segmentation: move the compromised host to a quarantine VLAN with limited access. On a Cisco switch, configure the port as an access port in a quarantine VLAN: `switchport access vlan 999`. Then apply ACLs to allow only necessary traffic (e.g., to a patch server or SIEM). Alternatively, use a firewall rule to redirect the host's traffic through a proxy for inspection. In a cloud environment, create a new security group that only allows outbound traffic to a specific management IP. Long-term containment should be reversible and should not alert the attacker if possible. The goal is to gather intelligence while minimizing business impact.
Eradicate the Threat
Eradication removes the root cause. First, identify how the attacker gained access (e.g., via a phishing email with a malicious attachment). Then remove all malware, backdoors, and persistence mechanisms. For example, if the attacker used a scheduled task to run a PowerShell script, delete the task with `schtasks /delete /tn "TaskName" /f`. Remove registry run keys: `reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v MaliciousKey /f`. On Linux, remove cron jobs: `crontab -r` for the current user, and check `/etc/cron.d/`. After removal, revoke any compromised credentials: reset passwords and revoke session tokens. Finally, apply patches to fix the vulnerability that was exploited. If the system is heavily compromised, a full rebuild from a known-good image is recommended. After eradication, run a full antivirus scan and vulnerability scan to confirm the system is clean.
Verify and Restore Operations
The final step is to verify that the threat is completely removed and restore the system to normal operations. Verification includes: checking that no malicious processes are running, no unauthorized network connections exist, and no persistence mechanisms remain. Use a tool like Sysinternals Autoruns to check all startup locations. Monitor the system for 24-48 hours for any signs of recurrence. Once verified, restore connectivity by moving the system back to its original VLAN, re-enabling the network adapter, or removing firewall blocks. If the system was rebuilt, restore data from a clean backup taken before the incident. Ensure that the restored data is scanned for malware. Finally, document all actions taken, including timestamps and commands used, for post-incident review and compliance.
Scenario 1: Ransomware Outbreak in a Hospital
A hospital's IT team detects ransomware encrypting files on several workstations in the emergency department. The ransomware uses SMB to spread laterally. The incident response team immediately executes short-term containment: they disconnect the affected workstations from the network by disabling the switch ports. They also block SMB traffic (port 445) at the firewall to prevent further spread. However, they forget to collect memory dumps first, losing evidence of the initial infection vector. After containment, they identify the ransomware variant as Ryuk and determine that decryption is not possible. They restore the affected workstations from backups taken 12 hours prior. They also patch the SMB vulnerability (EternalBlue) that was used for propagation. The hospital's backup strategy is critical: they use immutable backups in a separate VLAN to prevent ransomware from encrypting them. The lesson learned is to always capture volatile data first, even in a crisis, and to have a pre-defined playbook for ransomware.
Scenario 2: APT in a Financial Services Firm
A financial firm's SOC detects unusual outbound DNS queries from a server in the DMZ. The queries are to a domain registered 3 days ago. The SOC suspects an advanced persistent threat (APT). Instead of disconnecting the server (which would alert the attacker), they implement long-term containment: they apply a firewall rule that allows only DNS traffic to the firm's own DNS servers and blocks all other outbound traffic. They also enable full packet capture on the server's segment. They then analyze the server's memory and find a custom backdoor using a rootkit. They collect evidence over several days, identifying the attacker's C2 infrastructure. After gathering sufficient intelligence, they eradicate the threat by rebuilding the server from a known-good image and applying all security patches. They also rotate all service account passwords. This approach preserved evidence and allowed the firm to understand the attacker's techniques without tipping them off.
Common Misconfigurations
Overly aggressive containment: Blocking all traffic to a critical server can cause business disruption. Always have a whitelist for essential services.
Incomplete eradication: Removing the malware but leaving behind a scheduled task that re-downloads it. Always check persistence mechanisms.
Failure to update playbooks: Relying on outdated procedures that don't account for new attack vectors (e.g., cloud-based persistence).
What CS0-003 Tests on Containment and Eradication
The exam objectives under Domain 3.4 include: 'Given a scenario, implement containment and eradication strategies.' Specific areas tested:
Distinguishing between short-term and long-term containment.
Order of volatility for evidence collection.
Steps for malware removal and system recovery.
Use of playbooks and automation.
Cloud-specific containment (e.g., AWS security groups, Azure NSGs).
Common Wrong Answers and Why Candidates Choose Them
'Disconnect the system immediately' as the first step for all incidents. Candidates choose this because it seems like the fastest way to stop damage. However, the exam expects you to consider evidence preservation. If the incident is not actively destructive (e.g., a dormant backdoor), you should collect volatile data first. The correct answer depends on the scenario's severity.
'Reimage the system' as the eradication step without investigating the root cause. Many candidates think a clean install always solves the problem. But eradication requires understanding how the attacker got in to prevent recurrence. The exam will ask what to do after removing malware—the answer is to patch the vulnerability.
'Block the attacker's IP address' as a containment strategy for a DDoS attack. While blocking IPs can help, the exam expects you to know that DDoS attacks often use spoofed IPs, so IP blocking is ineffective. The correct containment might be to enable rate limiting or use a DDoS mitigation service.
'Restore from backup' immediately after containment. Candidates forget to verify that the backup is clean. The exam may present a scenario where the backup itself is compromised (e.g., ransomware encrypted backups). The correct step is to verify backup integrity before restoration.
Specific Numbers and Terms That Appear on the Exam
Order of volatility: Know the sequence: registers/cache > routing table/ARP/process table > temporary files > disk > remote logs > physical configuration.
NIST SP 800-61 Rev 2: The standard for incident response. Know the four phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity.
Persistence locations: Windows: Run keys, Startup folder, scheduled tasks, services. Linux: /etc/rc.local, /etc/init.d/, cron, .bashrc.
Short-term containment: Disconnect, block IP, disable account. Long-term containment: VLAN segregation, ACLs, honeypots.
Edge Cases and Exceptions
Virtual machines: Disconnecting a VM from the virtual switch is equivalent to unplugging the cable. In VMware, you can isolate a VM by removing its network adapter or applying a port group with no VLAN.
Cloud instances: In AWS, you can isolate an EC2 instance by changing its security group to one with no outbound rules. However, this does not stop traffic already in flight.
Mobile devices: Containment may involve remote wipe or disabling the device via MDM. Eradication may require factory reset.
How to Eliminate Wrong Answers
If the question asks about the first step after detection, ask: 'Is the incident actively causing damage?' If yes, short-term containment. If no, evidence collection.
If the question asks about eradication, look for an answer that includes 'identify root cause' or 'apply patches.' Avoid answers that only say 'remove malware' or 'reimage.'
If the question involves cloud, look for cloud-specific terms like 'security group,' 'network ACL,' or 'IAM policy.' Avoid generic network terms.
Containment must balance stopping damage and preserving evidence; short-term for active threats, long-term for stealthy ones.
The order of volatility (RFC 3227) dictates evidence collection: memory first, then network state, processes, disk, logs.
Eradication requires removing all persistence mechanisms (registry keys, scheduled tasks, cron jobs) and patching the root cause vulnerability.
Always verify backup integrity before restoring; compromised backups can reintroduce the threat.
Playbooks and SOAR automation ensure consistent, rapid containment and eradication actions.
Cloud containment uses security groups, network ACLs, and IAM policy changes instead of physical disconnection.
After eradication, monitor for recurrence using SIEM alerts and vulnerability scans for at least 48 hours.
These come up on the exam all the time. Here's how to tell them apart.
Short-Term Containment
Immediate action to stop active damage (e.g., disconnect cable, block IP).
Destroys volatile evidence (memory, network connections).
May alert the attacker to detection.
Suitable for ransomware, active data exfiltration, or worm propagation.
Typically irreversible without manual reconnection.
Long-Term Containment
Deliberate action to limit damage while preserving evidence (e.g., VLAN segmentation, ACLs).
Preserves volatile evidence for forensic analysis.
Allows continued monitoring of attacker activity (honeypot effect).
Suitable for APTs, stealthy malware, or when business continuity is critical.
Reversible; can be gradually relaxed as investigation progresses.
Mistake
Containment always means disconnecting the system from the network.
Correct
Disconnection is short-term containment and destroys volatile evidence. Long-term containment via network segmentation or ACLs is often preferred to preserve evidence and monitor attacker activity.
Mistake
Eradication is complete once malware is removed.
Correct
Eradication requires removing all persistence mechanisms (scheduled tasks, registry keys, SSH keys) and addressing the root cause (e.g., patching vulnerabilities). Simply deleting the malware file is insufficient.
Mistake
Restoring from backup is always safe after an incident.
Correct
Backups may also be compromised if the attacker had access to the backup system. Always verify backup integrity (e.g., scan for malware, check timestamps) before restoration.
Mistake
The order of volatility only matters for legal proceedings.
Correct
The order of volatility is critical for preserving the most fragile evidence first. Failing to collect memory before powering down a system can lose the only evidence of the attack.
Mistake
Blocking an IP address is an effective containment strategy.
Correct
Attackers often use proxies, VPNs, or botnets, so blocking a single IP is easily bypassed. It may be a temporary measure but should not be relied upon as a primary containment strategy.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Containment stops the incident from spreading or causing further damage (e.g., isolating a compromised host). Eradication removes the root cause of the incident (e.g., deleting malware, patching vulnerabilities). On the exam, containment actions are temporary and focus on limiting impact, while eradication actions are permanent and ensure the threat is eliminated.
Use short-term containment when the incident is actively causing damage, such as ransomware encrypting files or data exfiltration in progress. Long-term containment is preferred when the incident is not actively destructive, such as a dormant backdoor or APT, because it preserves evidence and allows monitoring. The exam will present scenarios where you must choose based on the severity and immediacy of the threat.
The order of volatility (RFC 3227) is a sequence for collecting digital evidence from most volatile to least volatile: registers/cache, routing tables/ARP cache/process table, temporary file systems, disk, remote logs, physical configuration. It is important because volatile data (e.g., memory) is lost when the system is powered down or disconnected. Collecting in the correct order ensures the most fragile evidence is preserved first. The exam often asks which data must be collected before disconnecting a system—the answer is memory.
On Windows: registry Run keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run), Startup folder, scheduled tasks, services, WMI event subscriptions. On Linux: /etc/rc.local, /etc/init.d/ scripts, cron jobs, .bashrc, .profile, systemd services. The exam may ask which locations to check after removing malware to ensure complete eradication.
In AWS, isolate an EC2 instance by modifying its security group to deny all traffic or by changing the network ACL of the subnet. In Azure, use network security groups (NSGs) to block traffic. In Google Cloud, use firewall rules. Additionally, you can disable the instance's public IP or move it to a different VPC. The exam expects you to know cloud-specific containment actions rather than physical disconnection.
After eradication, you must verify that the threat is completely removed by running full antivirus scans, vulnerability scans, and checking for any residual persistence mechanisms. Then restore the system to normal operations (e.g., re-enable network connectivity). Finally, monitor the system for at least 48 hours for any signs of recurrence. The exam may ask about the verification step as part of the eradication phase.
Yes, using Security Orchestration, Automation, and Response (SOAR) platforms. For example, a SOAR playbook can automatically block an IP at the firewall, disable a user account, and isolate an endpoint when a high-severity alert fires. Automation reduces response time and ensures consistency. The exam may ask about the benefits of automation in containment.
You've just covered Containment and Eradication — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?