Limiting the blast radius¶

Impact is the phase where the attacker makes themselves known, whether they intended to or not. Ransomware encrypts, wipers delete, botnets recruit, and service disruptions cascade through dependencies in ways that are difficult to anticipate. In some intrusions, impact is the goal from the start; in others, the attacker is forced to act before they are ready. By this point the attacker has already won the access battle. The defender’s job shifts from prevention to containment, limiting how much damage is done before the environment can be restored.

Techniques and response context
Responding to active impact