Love the 'Shields Up Policy' term.
This often becomes an in-depth discussion when our team conducts IR tabletops for CPIRT customers. The answer is situational but more often than not the "shields up" approach is what most enterprises end up with these days. In addition to the concerns of access to gateways via Smart Console, today there are often other requirements for connectivity that don't permit the old-school approach of a wirecutter/shutdown. Some examples we have come across that make this an interesting problem:
- All logging goes offsite - When using cloud logging/monitoring services (e.g. Datadog) or a cloud SIEM, blocking the internet may cause critical logs to disappear during an incident.
- Managed Detection and Response - When leveraging a 3rd party to triage and respond to endpoint events, blocking the MDR vendors access will likely limit their visibility and ability to assist/respond.
- DR site replication - This is more tricky and runs risks of replicating a malware infection, malicious software, or maliciously manipulated databases but can also save the day depending on timing and scale of infection within a primary site.
- Corporate Infrastructure in the Cloud - Also tricky, it may be required to keep access open for fileshares (did we print our IR plan on paper or is it on a Sharepoint server we can't access) , SSO systems, comms platforms (like cloud email or chat applications), offsite backup infrastructure etc.
- Simple things like NTP and DNS - Depending on network and system configuration, external NTP and DNS may be required to continue logging accurately.
There are usually several operational considerations that should be taken into account when making an IR plan. It is definitely situational and isn't exactly a one-size-fits-all answer. Typically, customers nowadays need a 'Shields Up' Policy on standby that only permits access to external services that are absolutely critical (cloud SIEM, MDR Vendor, etc), then blocks all other traffic that would normally be permitted by the everyday policy.