7 Phases of Incident Response

It’s inevitable that you will be affected by a cybersecurity threat one day – whether it be a direct attack or a breach of a third-party provider. 61% of SMBs have experienced a cybersecurity threat in the past year, and the numbers are going up. Therefore, when (not if) that day comes you will need to be prepared to mitigate the effects. So how should you respond to a cybersecurity incident?

That’s where a cybersecurity incident response plan comes into play.

What Is Incident Response?

Incident response in cybersecurity is an organized approach to preparing, detecting, controlling, and recovering from a cybersecurity breach.

Cybersecurity incidents can be detrimental to the health of a company. In many cases, serious incidents can lead to data loss, and the failure of services, operations, and functions. Imagine Google was affected by a cybersecurity incident – who knows how many millions of people would be affected? It’d be hard to know “How to send large files online” without operating the world’s most used search engine.

To prevent catastrophic outcomes of a cybersecurity breach, businesses should have an incident response plan.

What Is An Incident Response Plan

An incident response plan, as determined by the National Institute of Standards and Technology (NIST), is a document which utilizes a set of information security policies and guidelines to identify and prioritize risks, mitigate threats and restore service after a cybersecurity breach. The predetermined set of instructions aims to limit the consequences of malicious cyberattacks on an organization’s information system.

For most cybersecurity incidents, the time it takes to detect and respond impacts the severity and longevity of a breach. Therefore, to limit the impact on your organization, it’s important to follow these 7 steps as soon as possible.

7 Phases of Incident Response

1. Preparation

It’s nearly impossible to create a well-organized response to a cybersecurity threat in the moment. An incident response plan needs to be carefully prepared in advance of an attack to give your organization a fighting chance. In order to do so, your organization must conduct a risk assessment which identifies and addresses all potential threats within and outside of your organization. Once assessed, there should be consistent maintenance to prevent attacks.

For example, if your information system has a vulnerability from a recent update, make sure it is immediately addressed and maintained over time. Otherwise, cyber attackers will use that critical vulnerability to enter your system like we’ve seen many times this year already.

2. Identification

All phases of an incident response plan are important, however, identification takes precedence. Organizations that are able to identify potential threats and determine their severity can prioritize how they’re managed and are most likely to experience minor consequences compared to companies that cannot.

The identification phase involves completing penetration testing – a simulated attack on your own system to evaluate its security and understand the likelihood of an event and its potential impact. By identifying current and potential cybersecurity threats, your organization is better prepared to contain the threat.

3. Containment

Don’t panic! The primal response to a cybersecurity breach may be deleting everything and turning systems offline – but there’s a better way to contain a breach. If a system is turned offline and/or data is deleted, you risk losing valuable information about where the breach occurred, how it happened, or the ability to devise a plan based on the evidence.

 Instead, you can: 

  • Disconnect infected systems from the internet to prevent data leaking 
  • Change access control credentials to strengthen security 
  • Quarantine identified malware for evidence and future analysis
  • Disable remote access capability and wireless access points 
  • Create a backup of your data

After the threat is contained, it will be a lot easier to eradicate it entirely. 

4. Eradication

It’s time to eliminate the threat now that it has been contained. The eradication phase focuses on removing the problem and restoring harmed systems. This involves a complete reimaging of a system’s hard drive to ensure all malicious content has been thoroughly wiped and is no longer present for reinfection.

5. Recovery

It feels like a nonstop triathlon of effort to respond to an incident. It’s finally time to recharge. Now that the threat has been contained and eradicated, the main goal is to bring systems back online and continue business as usual.

In this phase, full service should be restored and previously infected systems and/or networks must be tested, monitored, and validated to verify the same assets are not reinfected. Additionally, all affected users, within and outside of your organization, should be informed of the breach and its present status. In cases where account credentials were compromised, steps should be in place to reset passwords and/or deactivate accounts.

6. Learning

What’s the best way to show an attacker whose boss? Learn. Create a report detailing a play-by-play review of the incident which answers the 5 W’s (i.e. who, what, where, when, why). The purpose of documentation is to learn from the incidents that occurred in order to identify weaknesses and prevent reoccurrence. This information can be used to create a cybersecurity training plan for employees and act as referencing material in the event of another case.

It’s highly recommended that the learning phase occurs within two weeks of the incident for better documentation. It’s like studying for a test – the sooner you learn the material, the better recall you’ll have.

7. Re-testing

Now that you’ve completed the six core phases, it’s time for the final step. An incident response plan should always have a re-testing element. Re-testing grants the opportunity to fine-tune your plan to ensure it covers all necessary areas of security within the organization. You can use your findings to improve the process, adjust your plans and procedures, and find any gaps that may have gone unnoticed.

Benefits of Incident Response Plan

In the end, it could be challenging to see the advantages of your incident response plan while you’re still mourning the loss of a cybersecurity breach. However, if you need more convincing to develop an incident response plan, perhaps the following advantages will do the trick:

  1. Safeguards critical knowledge Any critical information derived from an incident can be used for future planning and execution.
  2. Prepares you for the worst – Cybersecurity threats could affect you at any given moment. Having an incident response plan prepares you well in advance.
  3. Exposes gaps – Exploits and vulnerabilities can go unnoticed quite easily. IR plans help expose those gaps and patch them before they become critical.
  4. Replicable process – Incident response is not a “one and done”, it’s a continuous cycle. This plan can be replicated and updated to handle incidents quicker and more efficiently in the future.
  5. Takes accountability – IR documentation demonstrates that your organization carried out the necessary steps to preserve data and prevent a breach. In the eyes of auditors, you’ve taken accountability and reduced liability.

Incident Response Plan Template

Ready to take control of your security? We’ve found some informative (and free) cybersecurity incident response plan templates to help get you started:

  1. National Institute of Standards and Security (NIST): Computer Security Incident Handling Guide – access here.
  2. Michigan State Police: IT Incident Response Plan Example – access here.
  3. California Department of Technology: Incident Response Plan Template Doc – access here.


Congrats! You’ve survived a cybersecurity incident with minimal damage. Unfortunately, there’s no time to celebrate. Cyberattacks have been skyrocketing ever since the push for digitalization and remote work due to COVID-19. Now that more confidential information is hosted online, it serves as a goldmine for hackers. Thus, the need to be prepared.

The success of a cybersecurity incident plan is only as great as the people who create and uphold them. When surveying more than 2,848 IT and IT Security professionals, 77% of respondents stated that they lacked a formal incident response plan across their organization. It’s important, now more than ever, to create a cybersecurity incident plan to help protect your organization against cyber threats and be prepared in the event of a breach.

Follow the above steps to ensure your organization is ready.

Share files and messages securely with TitanFile! TitanFile
  • As easy to use as email for staff and clients
  • Lightning-fast upload speeds
  • Send files of any size. No storage limitations
Try TitanFile Free