The short-term objective of containment is to isolate the infected hosts before a complete solution is ready. On the other hand, the long-term objective of recovery is to look for a security control that can avoid a similar security incident in the future, or that can perform automatic recovery when the security incident is detected.
For the containment, there are typical network- or host-containment criteria established by network policy enforcement. Whenever one of the criteria is met, the containment actions can include blocking that specific host, redirecting the traffic to apply the latest security patches, and rejecting specific communication traffic or ports.
The following are common security policy enforcement ...