Containing Active Breaches

Containing Active Breaches

Executes containment strategies to stop active adversary operations and prevent lateral movement during a confirmed

Category: development Source: mukul975/Anthropic-Cybersecurity-Skills

What Is This

The "Containing Active Breaches" skill is a specialized cybersecurity capability designed for rapid response to ongoing security incidents. Its core function is to execute containment strategies that halt active adversary operations and prevent further lateral movement within an organization’s environment. This skill leverages network segmentation, endpoint isolation, credential revocation, and access control modifications to restrict an attacker's options and minimize potential damage during a confirmed breach.

By focusing on both immediate and sustained containment actions, this skill directly supports live incident response scenarios. It is aligned with industry-standard frameworks and threat models, including MITRE ATT&CK (covering techniques like T1021: Remote Services, T1570: Lateral Tool Transfer, T1210: Exploitation of Remote Services, and T1072: Software Deployment Tools), and references NIST Cybersecurity Framework response and recovery categories.

Why Use It

Active breaches require decisive and coordinated action to prevent attackers from escalating privileges, exfiltrating data, or causing widespread disruption. The "Containing Active Breaches" skill provides a systematic approach to:

  • Stop ongoing adversary operations before they can inflict additional harm
  • Prevent lateral movement, which is often used by attackers to access sensitive assets
  • Limit propagation of malware, ransomware, or other tools across the network
  • Support regulatory and compliance mandates for incident containment and response
  • Enable security teams to maintain control during a crisis, buying time for thorough investigation and remediation

Without effective containment, attackers can leverage compromised accounts, move laterally, and establish persistence, making eradication and recovery far more complex and costly.

How to Use It

This skill is typically activated as part of a coordinated incident response when a breach is confirmed and adversary activity is ongoing. The following are key containment techniques and their practical implementation:

1. Network Segmentation and Isolation

Immediately restrict communication between affected and unaffected network segments to halt the spread of malicious activity.

Example: Using a firewall rule to isolate a subnet

## Block all inbound and outbound traffic to a compromised subnet
iptables -A INPUT -s 10.0.5.0/24 -j DROP
iptables -A OUTPUT -d 10.0.5.0/24 -j DROP

2. Endpoint Isolation

Leverage EDR (Endpoint Detection and Response) platforms to isolate compromised hosts from the network.

Example: Isolating a host using CrowdStrike Falcon API

curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{ "action_name": "contain", "ids": ["<host_id>"] }'

3. Credential Revocation and Session Termination

Revoke compromised credentials and forcibly terminate active sessions to prevent further unauthorized access.

Example: Disabling an Active Directory account

## Disable a user account in Active Directory
Disable-ADAccount -Identity "jdoe"

4. Access Control Modifications

Restrict or remove permissions temporarily to sensitive resources or management interfaces.

Example: Removing a user from a privileged group

## Remove user from Domain Admins
Remove-ADGroupMember -Identity "Domain Admins" -Members "jdoe"

5. Communication and Coordination

Activate incident response protocols that notify relevant stakeholders and coordinate further actions.

Example: Sending an automated alert to the IR team

## Send a Slack notification via webhook
curl -X POST -H 'Content-type: application/json' \
--data '{"text":"Active breach containment initiated on subnet 10.0.5.0/24"}' \
https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX

When to Use It

Activate the "Containing Active Breaches" skill in the following scenarios:

  • Confirmed Breach: When a security incident has been classified as P1 or P2 severity and verified as ongoing
  • Lateral Movement Detected: If malware or attackers are seen moving between endpoints or servers
  • Active Account Compromise: If a user account is actively being used for unauthorized access
  • Ransomware Propagation: When ransomware encryption is observed and spreading in real time
  • Command-and-Control Activity: When internal hosts are communicating with known adversary infrastructure

Do not use this skill for post-incident cleanup once the adversary is confirmed to be inactive. In such cases, use eradication and recovery procedures.

Important Notes

  • Prerequisites: Ensure the incident has been confirmed and classified with appropriate severity (P1/P2) before containment actions
  • Authorization: Only authorized personnel with EDR console and directory service access should perform these actions
  • Documentation: Log all containment steps taken, including timestamps and affected systems, for forensic and compliance purposes
  • Business Impact: Containment may disrupt normal operations, so coordinate with business units to minimize impact where possible
  • Continuous Monitoring: After initial containment, monitor for signs of continued adversary activity and be prepared to escalate further

By leveraging this skill, organizations can decisively halt the progression of active security breaches, limit damage, and set the stage for successful eradication and recovery.