TR1.7 The Preservation Decision Tree

Figure TR1.7 — The preservation decision tree. One question determines the sequence: is the attacker actively causing damage RIGHT NOW? If yes, contain first. If no, preserve first. Both paths eventually complete both actions — only the order differs.

The determining question

The decision tree has one question: Is the attacker actively causing damage RIGHT NOW?

“Actively causing damage” means the attacker is performing actions that are destroying, encrypting, exfiltrating, or modifying data AT THIS MOMENT. Not “the attacker was active earlier today.” Not “the attacker might become active later.” Right now.

Active damage indicators: ransomware encryption in progress (file modification events flooding DeviceFileEvents), data exfiltration in progress (sustained outbound data transfer visible in network connections), BEC email being composed or sent (active mailbox session), credential dumping in progress (LSASS access visible in real-time alerts), active lateral movement (RDP or SSH sessions being established to new systems).

Dormant indicators: the attacker established persistence (scheduled task, cron job, backdoor user) but is not currently active. The C2 beacon is running but the attacker is not issuing commands. The compromised account has a valid session but no recent activity. The alert is based on historical data (the suspicious activity happened hours or days ago and has since stopped).

Contain-first scenarios

Active ransomware encryption

The attacker is encrypting files on a server. Every second of delay means more files encrypted. The CHAIN-MESH scenario at NE: vssadmin shadow deletion + encryption began at 02:48. If the triage responder spends 5 minutes capturing a memory dump before isolating the server, 5 minutes of additional files are encrypted — potentially the difference between recovering from backup and losing irreplaceable engineering data.

Action: Network-isolate the server IMMEDIATELY via Defender for Endpoint, or physically disconnect the network cable if remote isolation is not available. The encryption process may continue on local files, but it cannot spread to other systems via SMB or access the attacker’s C2 for additional instructions. AFTER isolation, capture memory (the ransomware binary and its configuration are in memory) and volatile evidence. The isolation preserves the running state — the server is still powered on, memory is intact, the ransomware process is still running but cannot communicate.

Active data exfiltration

The attacker is transferring data to an external server. The network connection is visible in ss/netstat. Each minute of continued transfer means more data leaves the organisation. If the data includes PII, each additional minute increases the scope of the GDPR notification.

Action: Block the destination IP at the network perimeter (firewall rule) or isolate the source system. If blocking at the firewall: the exfiltration stops immediately, the source system remains running, and all volatile evidence is preserved. This is the ideal contain-first action because it stops the damage with minimal evidence destruction. If isolating the source system: the exfiltration stops AND all other legitimate network activity stops — higher containment blast radius.

Live BEC email about to send

The attacker has composed a fraudulent wire transfer request in the CEO’s mailbox and is about to click Send. The email is visible in the drafts folder or the attacker’s session shows active Outlook Web access.

Action: Revoke the attacker’s session immediately. The email send may fail (session revocation can interrupt the SMTP submission) or may succeed (if the send command was already queued). After revocation: check the Sent Items and outbound mail queue to determine if the email was delivered. Preserve the mailbox audit log showing the attacker’s session and actions.

Preserve-first scenarios

Dormant C2 beacon

The alert fired on a beaconing pattern — regular connections to an external IP every 60 seconds. The beacon has been running for hours or days. The attacker is not currently issuing commands through the beacon. The beacon will continue beaconing whether you preserve evidence or not — it is not causing active damage.

Action: Capture memory (the beacon configuration, including the C2 infrastructure, is in memory). Capture the process tree (identify the beacon process and its parent chain). Capture the network connections (document the C2 IP and communication pattern). THEN isolate the endpoint. The 5-minute evidence preservation window does not increase the damage because the beacon is dormant. But isolating before memory capture would terminate the beacon process if the isolation method disrupts the process (varies by Defender for Endpoint isolation level).

Planted persistence without active session

The attacker created a scheduled task or cron job yesterday, but their current session has ended. The persistence mechanism is dormant — it will activate at the next scheduled time (e.g., daily at 02:00). There is no active damage.

Action: Capture the persistence mechanism details (scheduled task export, cron entry, autorun entry). Capture associated files (the script or binary the persistence mechanism executes). Capture memory if the associated process is running. THEN disable the persistence mechanism as containment. Removing the scheduled task or cron entry before documenting it destroys the evidence of what the attacker planned to do.

Historical alert

The alert is based on data from hours or days ago. The suspicious sign-in occurred at 03:00 last night. It is now 10:00. The attacker’s session has likely expired. There is no active damage.

Action: Preserve all available evidence — cloud logs, endpoint telemetry, Linux logs — before executing any containment. There is no urgency to contain because the attacker is not currently active (or if they are, their activity has not been detected in the intervening hours, suggesting dormancy or a slow-moving attack). The preservation gives the investigation team the richest possible evidence set.

The speed imperative

The contain-first decision is becoming more common because attackers are faster. Mandiant’s M-Trends 2026 report found that the median handoff from initial access to secondary operators — the point where a compromised credential is passed from the access broker to the ransomware operator — dropped to 22 seconds in 2025. Twenty-two seconds from initial compromise to the hands-on-keyboard operator who will deploy ransomware, exfiltrate data, or establish persistence. At that speed, the triage responder’s contain-first decision for active threats is not optional — it is the only decision that prevents the attacker from achieving their objective before evidence can be collected.

CISA’s StopRansomware Guide reinforces the contain-first approach for active ransomware: isolate affected systems in a coordinated manner and use out-of-band communication methods (phone calls, not email or Teams) to avoid tipping off attackers that their activity has been detected. If the attacker realises containment is underway, they may accelerate encryption or trigger anti-forensics to destroy evidence before isolation completes. The triage responder should coordinate containment actions via phone or in-person, not through channels the attacker may be monitoring.

The grey zone: active but low-impact threats

The decision tree handles the extremes well: clearly active ransomware (contain first) and clearly dormant persistence (preserve first). But many real-world triage scenarios fall in the grey zone — the attacker is active but the damage is not immediately catastrophic.

Active reconnaissance without data access. The attacker is running LDAP queries against Active Directory from a compromised workstation, mapping the environment. This is active (the queries are running right now) but the damage is information gathering, not data destruction. The triage responder has a wider window: the reconnaissance does not destroy data, encrypt files, or exfiltrate information. The optimal approach is preserve-first — capture the process list (to see the reconnaissance tool), the network connections (to see the LDAP query targets), and the command history (to see what the attacker queried). Then contain. The 5-minute preservation window does not significantly increase the damage because the attacker is gathering information they will use LATER, not executing their objective NOW.

Active C2 with no observed commands. The beacon is active (regular connections to the C2 server), but the packet sizes are consistent (heartbeat only — no tasking). The attacker has access but is not currently operating. This is functionally dormant — preserve first. However, the attacker could issue a command at any moment, transitioning from dormant to active. The triage responder should preserve evidence efficiently (memory dump — this captures the beacon configuration) and contain promptly. The risk tolerance for “dormant C2” is measured in minutes, not hours.

Active email access without BEC delivery. The attacker is reading the compromised user’s emails (MailItemsAccessed events from an anomalous IP) but has not yet sent a BEC email. This is active data access — the attacker is gaining intelligence that could enable financial fraud. The containment urgency depends on what the attacker is reading: if the MailItemsAccessed events target the CEO’s financial communications, the BEC preparation is advanced and containment is urgent (the next step is sending the fraudulent email). If the access pattern is broad (reading many emails across many folders), the attacker is still in the reconnaissance phase and the responder has a wider window.

The grey zone principle: When the attacker is active but not causing irreversible damage, default to PRESERVE FIRST with an ACCELERATED timeline. Complete the preservation in 2-3 minutes (not 5-10) and contain immediately after. The accelerated timeline acknowledges that the attacker is active (they could escalate at any moment) while preserving the evidence the investigation team needs.

The regulatory dimension of the preservation decision

In regulated industries, the preservation decision has regulatory implications that the triage responder should be aware of:

GDPR (Article 33): Organisations must notify the supervisory authority within 72 hours of becoming aware of a personal data breach. The “becoming aware” clock starts when the triage responder classifies the incident as a confirmed TP involving personal data. If the responder contains before preserving evidence that shows the scope of data access, the investigation team may not be able to determine WHAT data was accessed — making the regulatory notification incomplete. In GDPR-regulated environments, the preservation of mailbox access logs (what the attacker read) and file access logs (what the attacker downloaded) is not just forensically valuable — it is regulatorily necessary.

NIS2 (Article 23): Significant incidents must be reported to the CSIRT within 24 hours of awareness. NIS2 defines “significant” based on impact — which can only be assessed from the evidence the triage responder preserved. If the evidence is lost due to premature containment (rebooting a server before capturing memory), the organisation may not be able to assess the impact accurately, leading to either over-reporting (reporting a broader scope than actual) or under-reporting (missing data access that occurred before the reboot).

The principle: Preserve evidence BEFORE containment when possible, because the evidence determines the regulatory reporting scope. If containment must come first (active ransomware, active exfiltration), document what evidence was lost due to the containment timing — the investigation team and legal team need to know what cannot be determined because evidence was not available.

The parallel path

For experienced responders with team support, the contain-first and preserve-first paths can execute in parallel. One responder initiates containment while another simultaneously captures volatile evidence. This is the optimal approach — but requires two responders with access to the same system. For solo triage responders, the decision tree provides the sequence: which action comes first when you can only do one thing at a time.

Containment blast radius and the preservation decision

The preservation decision is not independent of the containment blast radius. Some containment actions preserve evidence (device isolation keeps the system running with memory intact). Other containment actions DESTROY evidence (powering off a server eliminates all volatile evidence). The triage responder must consider the evidence impact of each containment option:

Evidence-preserving containment actions: Network isolation via Defender for Endpoint — blocks all network traffic but keeps the system running. Memory is intact. Processes continue executing. The responder can still access the system via Defender Live Response. This is the optimal contain-first action because it stops the attacker while preserving ALL volatile evidence.

Firewall block of specific IPs or ports — stops exfiltration or C2 communication at the network perimeter without touching the endpoint. All endpoint evidence is completely preserved. The exfiltration process still runs on the endpoint (it just fails on next connection attempt) — the process, its memory, and its connections are all visible for capture.

Account disable in Active Directory — blocks the attacker’s ability to authenticate as the compromised user. Does not affect any endpoint evidence. The compromised endpoint remains running with all evidence intact.

Evidence-destroying containment actions: System shutdown or power off — eliminates ALL volatile evidence: memory, running processes, network connections, DNS cache, ARP table. Only use when no other containment option is available (e.g., the system is not managed by Defender and cannot be network-isolated remotely). If shutdown is the only option, capture what you can with the 10-command triage BEFORE initiating the shutdown.

System reimage or rebuild — destroys all evidence on the system (volatile and disk). Never reimage before evidence collection unless the system is actively spreading malware to other systems and no isolation option is available.

Virtual machine snapshot + revert — the snapshot captures the state, but reverting to a previous snapshot destroys all evidence from the current state. Take the snapshot (which preserves the current state) but do NOT revert until the investigation team has analysed the snapshot.

The decision matrix: Active threat + evidence-preserving containment available → Contain first, preserve after (device isolation, firewall block). Active threat + ONLY evidence-destroying containment available → Preserve first (capture memory + 10-command triage), THEN contain (shutdown). Accept the risk of additional attacker activity during the preservation window because the alternative (shutdown without preservation) destroys evidence permanently.

The manager override scenario. Occasionally, a non-security manager demands immediate system restoration (“bring the server back online NOW”) before evidence is preserved. The triage responder must be prepared to push back with a clear, factual explanation: “The server contains evidence that will be permanently destroyed if we restore now. I need 5 minutes to capture the evidence, then restoration can proceed. The 5-minute delay is less disruptive than the investigation finding we lost critical evidence because the server was restored prematurely.” If the manager insists, document the override (who requested it, when, what evidence was at risk) and escalate to the CISO. The manager’s authority over business operations does not extend to destroying forensic evidence — the CISO adjudicates the conflict. At NE, Rachel’s SOP explicitly states: “Evidence preservation takes priority over non-emergency system restoration. Only the CISO can override this policy.” This pre-approved authority eliminates the on-the-spot debate Dormant threat + any containment → Preserve first, then use evidence-preserving containment (isolation).

Troubleshooting

“I cannot tell if the attacker is active or dormant.” Default to contain-first if you are uncertain AND the alert indicates a high-severity threat (ransomware indicators, credential theft, data exfiltration patterns). The cost of unnecessary containment (brief business disruption) is less than the cost of allowing an active attacker to continue while you assess their state. For medium and low severity alerts where you are uncertain, spend 2-3 minutes running the Tier 1 capture commands (processes, connections) — the results will tell you whether the attacker has active processes and connections.