Conclude that the most critical component of an IR plan is to stop the incident and contain the scope and/or impact to the organization. With time being of the essence, detailed analyses here are not the best use of resources as it may prolong the attack and its result.
Propose the following containment strategies that were provided in the text that the CSIRT can execute to slow or stop an incident in progress:
Disabling compromised user accounts
Reconfiguring a firewall to block the problem traffic
Temporarily disabling compromised processes or services
Taking down the conduit application or server—for example, the e-mail server
Disconnecting affected networks or network segments
Stopping (powering down) all computers and network devices
Justify that the last strategy outlined above is a last-ditch effort to preserve data stored on computers so that operations can resume normally once the incident has concluded.