Containment vs. Eradication: Containment focuses on limiting the scope of the incident and preventing further damage. Eradication focuses on completely removing the threat. These are distinct phases.
Preserving Evidence: A crucial aspect of incident response is maintaining forensic integrity. Actions that destroy data (like wiping drives) hinder investigations.
****
A. Disconnect compromised servers from the network immediately and wipe their hard drives to ensure the threat is removed. While disconnecting from the network is a valid containment step, wiping hard drives destroys crucial forensic evidence. This is an eradication step, not a containment step, and it's done too hastily.
B. Power down the compromised systems to halt the infection and prevent any additional malicious activity. While powering down might stop some activity, it can also destroy volatile data in RAM that could be valuable for the investigation. It's a drastic step that should be considered carefully and is generally not the preferred method.
C. Patch all related servers and endpoints immediately—both infected and non-infected—to prevent further compromise. Patching is important, but doing it immediately during the containment phase can be problematic. It can overwrite evidence and may not be effective if the attacker has already established persistence. Patching is more of an eradication/recovery step.
Quarantining (option D) isolates the affected systems, preventing the threat from spreading further within the network, while still allowing investigators to collect forensic evidence. Preserving logs is also essential for understanding the attack vector and the extent of the compromise.