Situation: Multiple hosts show large outbound traffic and a customer reports sensitive files leaked online. Immediate goal: contain exfiltration, preserve forensic data, keep services healthy where possible.Immediate actions (in order, with rationale):1. Triage & scope- Confirm alerts, list affected hosts (monitoring/asset DB).- Identify public endpoints receiving data (netflow/egress logs).2. Fast containment (minimize blast radius, preserve evidence)- Put affected hosts into network isolation mode (quarantine VLAN / security group) rather than powering off. - AWS example: detach from public subnets / apply restrictive security group: aws ec2 modify-instance-attribute --instance-id i-... --groups sg-xxxx (sg with only ssh from SOC)- On-prem / Linux hosts: add temporary iptables/nft rule to block all outbound except to internal collectors:bash
# block all outbound except to forensics collector IP 10.0.0.5
ssh ops@host
sudo iptables -I OUTPUT 1 -d 10.0.0.5 -j ACCEPT
sudo iptables -I OUTPUT 2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -I OUTPUT 3 -j REJECT
- Kubernetes: cordon nodes/pods, scale down risky workloads, or apply NetworkPolicy to deny egress:bash
kubectl label node node-1 quarantine=true
kubectl patch networkpolicy deny-egress -p '{"spec":{"policyTypes":["Egress"],"egress":[]}}'
- If using cloud firewalls, quickly apply ACL to block suspicious outbound ports/IP ranges.3. Preserve forensic evidence (do first before disruptive changes)- Capture volatile data on each host (memory, network connections, processes):bash
# on host
sudo netstat -tunp > /tmp/netconns.txt
sudo ss -tunp >> /tmp/ss.txt
sudo ps auxwww > /tmp/ps.txt
sudo tcpdump -w /tmp/egress.pcap -s 0 port not 22 &
sudo gcore $(pgrep suspicious_process) # if safe
- Snapshot disks and create AMI / volume snapshot (cloud) immediately: - AWS: create-snapshot or create-image; GCP: disk snapshot.- Collect system logs, application logs, auditd, bash_history, cloudtrail/cloud logging, flow logs (VPC flow logs).- Export copies to secure forensics bucket with write-once permissions.4. Short-term service continuity- If quarantine breaks critical SLA, route traffic to healthy fallback instances or enable read-only mode/feature-flag sensitive features. - Toggle feature flags to disable file downloads or external sharing (LaunchDarkly/example).- Rate-limit outbound egress at edge (WAF or API gateway) to reduce exfiltration speed.5. Evidence integrity & coordination- Record all commands, times, operator IDs in incident log.- Preserve timestamps and set storage to immutable when possible.- Notify security/forensics and escalate to incident commander; hand off preserved artifacts.6. Follow-up steps- Once contained, perform deeper forensic analysis, rotate credentials, revoke keys/compromised tokens, rotate certificates, audit IAM, and patch vulnerability.- Run post-incident blameless review and implement permanent controls (e.g., egress filtering, DLP, least-privilege, monitoring of sensitive file access).Key principles: isolate network egress quickly (prefer network-level blocks over host shutdown), capture volatile data first, snapshot immutable storage, use feature flags to reduce functionality without full outage, and preserve audit trail for investigators.