Isolating the affected system or segment of the network is the best initial containment strategy. It helps to prevent the spread of an attack while allowing the investigation to proceed with minimal interference. Changing access control lists could impact normal operations and may not effectively contain the incident. Rebooting the system could potentially destroy volatile evidence. Applying patches, while important, does not address immediate containment and may alter the state of the system, complicating any ongoing investigation.