The containment phase of the incident response lifecycle requires taking systems offline.
The containment phase of the incident response lifecycle requires taking systems offline.
The containment phase of the incident response lifecycle involves isolating the affected systems to prevent further damage or spread of the incident. However, this does not necessarily require taking systems offline. Isolation can be achieved through network segmentation or other control measures that don't involve powering down systems, which helps balance the need to minimize impact and maintain some level of availability.
B. True In the incident response lifecycle, the containment phase involves taking systems offline as a measure to prevent further damage or spread of the incident. By isolating affected systems or network segments, organizations can limit the impact and reduce the risk of additional compromise or data loss. Taking systems offline during the containment phase allows security teams to assess the situation, investigate the incident, and implement necessary remediation measures without the interference of ongoing malicious activity. It also helps to prevent the incident from spreading to other parts of the infrastructure or affecting additional systems or users. While the specific actions taken during the containment phase may vary depending on the nature of the incident and organizational policies, temporarily taking systems offline is a common and effective step to contain and control the situation.
from security guidance page 102: Containment: Taking systems offline. Considerations for data loss versus service availability. Ensuring systems don’t destroy themselves upon detection.