Containing Active Breaches When to Use - A confirmed intrusion is in progress with an active adversary on the network - Malware is spreading laterally across endpoints or servers - A compromised account is being used for unauthorized access to systems - Ransomware encryption has been detected and is actively propagating - An attacker has established command-and-control communications from internal hosts Do not use for post-incident cleanup when the adversary is no longer active; use eradication procedures instead. Prerequisites - Confirmed incident classification with P1 or P2 severity from t…