Skill Being Reviewed
Skill name: containment
Skill path: skills/incident-response/containment/
False Positive Analysis
Scenario: System Shutdown for Isolation.
Observation: The skill lists "Power Off" as a primary containment action for all malware.
Why this is a false positive: Powering off a system destroys Volatile Evidence (memory, running processes, network connections). For SEV-1 incidents, this can permanently block root-cause analysis.
Recommendation: The skill should prioritize "Network Isolation" or "VM Suspension/Snapshot" over "Power Off" to preserve evidence for the forensics-checklist.
Coverage Gaps
1. Cloud Identity Revocation (SaaS):
The skill is "Network-centric" (VLANs/IPs). It misses "Identity-centric Containment". For a compromised admin in Azure/GCP, the primary containment action is "Revoke Refresh Tokens" and "Enforce MFA Re-auth" across the entire tenant.
2. IMDS Isolation (Cloud-Native):
In AWS/GCP, attackers target the Instance Metadata Service (IMDS) to steal IAM roles. A critical containment gate is "Block 169.254.169.254" at the host level or switching to IMDSv2-only mode.
3. API Rate-Limiting as Containment:
For automated data exfiltration via API, the best containment is often "Throttling" rather than "Blocking". Throttling slows the attacker while allowing the IR team to monitor the egress destination.
Remediation Quality
Overall Assessment
A solid tactical tool. By adding the Identity revocation and IMDS-specific gates, it would bridge the gap between traditional "On-prem IR" and modern "Cloud-Native IR".
Bounty Info
Skill Being Reviewed
Skill name:
containmentSkill path:
skills/incident-response/containment/False Positive Analysis
Scenario: System Shutdown for Isolation.
Observation: The skill lists "Power Off" as a primary containment action for all malware.
Why this is a false positive: Powering off a system destroys Volatile Evidence (memory, running processes, network connections). For SEV-1 incidents, this can permanently block root-cause analysis.
Recommendation: The skill should prioritize "Network Isolation" or "VM Suspension/Snapshot" over "Power Off" to preserve evidence for the
forensics-checklist.Coverage Gaps
1. Cloud Identity Revocation (SaaS):
The skill is "Network-centric" (VLANs/IPs). It misses "Identity-centric Containment". For a compromised admin in Azure/GCP, the primary containment action is "Revoke Refresh Tokens" and "Enforce MFA Re-auth" across the entire tenant.
2. IMDS Isolation (Cloud-Native):
In AWS/GCP, attackers target the Instance Metadata Service (IMDS) to steal IAM roles. A critical containment gate is "Block 169.254.169.254" at the host level or switching to IMDSv2-only mode.
3. API Rate-Limiting as Containment:
For automated data exfiltration via API, the best containment is often "Throttling" rather than "Blocking". Throttling slows the attacker while allowing the IR team to monitor the egress destination.
Remediation Quality
Issues found: The rollback criteria are mentioned but lack a "Post-Containment Integrity Check". Before reconnecting a contained system, the skill should require a "Full AV/EDR Scan" on the isolated host.
Overall Assessment
A solid tactical tool. By adding the Identity revocation and IMDS-specific gates, it would bridge the gap between traditional "On-prem IR" and modern "Cloud-Native IR".
Bounty Info