Incident Response – A Complete Guide

Incident response is an organized approach addressing and managing the aftermath of a security breach or cyber-attack, also known as a security incident, computer incident, or IT incident. A cyber-attack such as a data breach can cause havoc to an organization and, therefore, should be handled to limit damage and reduce associated costs and recovery time. A comprehensive investigation is done about the given incident to prepare for the future.

Advancement in technology has led to an increase in the number of security incidents. As technology becomes better, black hats also enhance their skills and techniques, implying that organizations are being hit more frequently than before. Developing a repeatable incident response is, therefore, the best way to secure your company.

Ideally, incident response is carried out by the organization’s computer security response team. This group is selected to include information security and general IT staff as well as C-suite level members. The team may also comprise representatives from human resources, public relations, and the legal department. Organizations have a set of standard operating procedures to follow if there is an incident or breach: The Incident Response Plan.

The incident response plan is a proactive plan that prepares an organization to counter a security breach of their system. An incident response plan helps an organization make a quick decision based on reliable information when defined elaborately. The process does include IT experts and experts from other core aspects of the business.

Importance of Incident response

Poor handling of an incident exposes an organization for a possible future attack which, may lead to adverse effects such as considerable expense, data breach, or collapse of the entire system. A fast response helps to restore denied services, minimize losses, and mitigate exploited vulnerabilities.

Incident response is a defense tool used to provide armor to an organization for anticipated unknowns and the known, likely to reoccur. Incident response also enables an organization to set up a series of best practices to stop an intrusion before it causes much damage.

Most organizations rely on sensitive information for running their day-to-day organizations. Incidents may range from compromised laptops due to weak passcodes and security protocols to simple malware, impacting the entire organization’s success. Damages caused by security incidents may be costly, and if not mitigated quickly, could cause massive loss.

Types of security incidents

There are different kinds of incidents, depending on different factors. Organizations categorize incidents differently depending on the extent of impact or the effect on day-to-day operations. Below is a list of some of the common types with negative impacts on businesses.

  • Ransomware or malware which affects critical business files across the organization
  • A missing laptop with unencrypted critical customer data
  • A successful phishing attempt that has exposed confidential customer information
  • A distributed denial of service attack against critical cloud services

Security incidents that are considered urgent warrant immediate response, and they must be dealt with immediately. A rapid must be executed when it is expected that the negative impact on business, information system, or network is significant.

Incident response can also be defined elaborately by pointing out the difference between threats and vulnerabilities. A threat is any element such as a malicious individual within the organization looking for an opportunity to exploit the vulnerability for ill intentions or financial gain. On the other hand, a vulnerability is a weakness in a network system, workforce, or business process that a black hat can easily exploit. When a threat exploits a vulnerability, there are consequences such as legal and compliance violations, identity theft, and access to sensitive information assets.

Incident response plan

The incident response plan is a set of instructions followed by a response team when an incident occurs. The plan outlines a methodology to follow while responding to and limiting the impact of a security incident. The specifics include instructions on responding to potential attack scenarios such as distributed denial attacks, insider threats, malware outbreaks, and data breaches.

Lack of a proper incident response plan may not allow the organization to conduct proper protocol to contain the threat and recover from it in case of a breach. A well-documented response plan helps an organization respond rather than react to an incident. Lack of a formally documented incident response plan only worsens the situation and can be indefensible if lawyers are involved.

There are six critical phases of an incident response plan as per the SANS Institute;

  1. Preparation– capacitating employees, IT staff, and Users with the capabilities to handle an incident in case of an attack
  2. Identification – categorizing an event as a security incident or not
  3. Containment – separating the affected systems to limit the extent of damage
  4. Eradication – identifying the original cause of the problem and eliminating the affected part of the system, the vulnerable employee, or the hiccup in the system
  5. Recovery – after eliminating the threat, one can carefully re-introduce the affected parts back into the system or production environment.
  6. Lessons learned – finalizing on documentation process, executing a comprehensive analysis to learn from the incident, and perhaps suggest recommendations on how to upgrade the system.

Creating an incident response plan

An incident response plan should be prepared in advance by the IR coordinator or the relevant IR team, and it should contain the components listed in the chart below.

Incident plan element Purpose and scope
Overview A brief introduction to what the plan is all about, goals to be achieved, scope, and the underlying assumptions.
Outline of roles and responsibilities Outlines the specific roles and duties of every team member.
A detailed list of incidents that should be responded to Lists exploits, threats, and situations that require formal response actions. Systems are exposed to a range of threats and exploits; the possibilities range from malware attacks to email phishing, lost laptops with no strong passwords, to denial-of-service attacks. This component is the most significant part of the incident response plan.
Detection, investigation, and containment process The first step of the actual response procedures that you intend to use. It includes tasks such as evaluating the situation, informing team members, involving external parties, eliminating the threats, confirming the incident, collecting information, reporting findings, and documentations.
Eradication procedures Outlines the general steps for cleaning up the incident, such as system log and network traffic analysis, forensics review, and subsequent testing to confirm resolution.
Recovery phase Explains tasks in the recovery phase, such as reimaging hosts, adjusting firewalls, and reinstalling hosts and other related configurations
Breach notifications Outlines how the alert is to be raised and when it should be communicated.
Follow-up tasks Includes additional reports, advanced documentation, and lessons learned that might come out of this phase.
Call list Provides contact information for incident response team members and involved vendors, such as cloud service providers or internet service providers.
Testing scenarios Outlines the exact testing scenarios that will be carried out

Depending on the need, IR plans may differ from organization to organization. However, the above-listed elements are essential and should be included as part of every organization. To make it integrate organizations’ goals and objectives to make it more specific to your organization.

An organization’s incident response plan should not be combined with other documents such as security plans and procedures, business continuity plans, or disaster recovery. Instead, it works as a stand-alone document that all your incident response team members know about and have easy access to both in hard copy and network form.

What’s the role of a response team?

An effective incident response program requires putting together a cross-functional team from diverse parts of the business. Failure to include the right people will only see the failure of the response execution plan. The team helps with the execution of the plan and the ongoing oversight and maintenance, such as administering day-to-day technical controls. These are activities that take place during the occurrence of the incident and afterward as well. The team may include members of the organization’s overall security as well.

Who is accountable for incident response?

An incident response team is formed as part of a proactive measure to counter incidents should they occur. The team has the task of analyzing security events and responding appropriately. The team may include;

  • Response manager – in most cases, an IT director prioritizes and oversees actions during detection, analysis, and containment of an incident. Therefore, the manager is the top management and communicates high-severity incidents and other critical information with the rest of the organization.
  • Security analysts – are experts who aid in top management by giving technical advice and working directly with the affected network research to identify the location, time, and other essential elements of the incident. Triage analysts filter out false-positive threats and mark out the potential intrusions. Essential artifacts left behind and can act as tangible leads are collected and analyzed by forensics analysts.
  • Threat researchers – provide threat context and intelligence for an incident. This group does extensive research to find out external information that may have been reported externally. In conjunction with the data within an organization, such as records of previous incidents, data are combined to build and maintain a database of internal intelligence. This type of intelligence can be outsourced from eternal sources if it does not exists in the house.

An incident response team may include a human representative, where the investigations reveal that an employee has played a role in an incident. Management specialists in audit and risk can develop vulnerability assessments, threat metrics and advocate for the organization’s best IR practices.

Incident response plan management

Just like all other aspects of information security, incident response is not any different. At the core, it requires thoughtful planning, clear metrics, and ongoing oversight to measure efforts appropriately. Some of the ongoing measurement initiatives include intermittently evaluating the response plan to ensure its effectiveness, training all response team members to be relevant to the response procedures. The specific metrics used to quantify how effective the response initiative includes the following;

  • Number of missed incidents
  • Quantity of incidents to be acted upon
  • How many incidents repeat?
  • The number of missed incidents
  • The number of incidents that led to breaches
  • Remediation timeframe

Incident response problem-solving

Problem-solving is an integral part of incident response. It is easy to get sidetracked while executing the IR methodology. One, therefore, must prioritize what to focus efforts on and what to ignore. This can be effectively done by evaluating incidents on their urgency for a response, evaluating the worth of the specific areas hit by the intrusion, and the response methodology required for different incidents. The best way to achieve this desired preference, therefore, is to view security incidents, breaches, and confirmed attacks from the following perspective;

  1. What is important but not urgent?
  2. What is urgent but less significant?
  3. What is both significant and urgent?

For instance, a malware attack on a branch office sales workstation that only connects to the office network via guest Wi-Fi would be considered urgent but not equally important. On the other hand, losing a newly purchased laptop with no significant data may be considered important but not urgent. Example of an issue which is both important and urgent would be, a malware attack affecting production servers, phishing attempt on executives leading to the compromise of network credentials and denial of service on an e-commerce website. Urgent and significant scenarios occur when there is an extreme attack on an essential part of the system.

In most cases, the security issues you are faced with fall in the first two categories. While these must be addressed, they can be more of a distraction. This is why, as an organization, you must filter out the “noise” and focus on the core elements of the target. The third category, both urgent and important, is where you will find most of your incidents and issues fall. The most important thing to do is look at the bigger picture and address those most impactful towards your vital network resources first.

With the advancements in technology, where decisions are often made for us, it is challenging to find a competent IT and security staff who will be reliable in case of an event?

Incident response plans vs. business continuity plans

The incident response role keeps threats at bay and keeps the business running at low external risks. Therefore, it should be considered part of business continuity since it aims to minimize the negative impacts of unforeseen events proactively. Incident response out to have the highest visibility within an organization due to what is at stake and the various variables involved, such as technologies, business processes, and people. An incident response plan is largely dedicated to breaches and intrusions affecting applications and databases, networks and computers, and other related information assets. Most organizations, therefore, keep the incident response plan as a stand-alone document, separate from the business continuity plan although referenced. Of significance is to ensure that the response plan is easily accessible by all team members when there is a need to do so.

Tools used for incident response

A wide range of tools and methodologies are used to minimize issues and assist in the response plan, categorized as per detection, response, or prevention functionalities. Some organization has adopted the OODA loop, used by the military for incident response. OODD loop is a methodology that encourages an entity to observe, orient, decide, and act upon the occurrence of an incident. For instance, an organization may observe an incident by conducting system resource monitoring, examining various file integrity technologies, or simple packet analysis. Real-time threat intelligence or indicators may be used to gain insight.

The emergence of Artificial intelligence allows for the capability to use technology to automate and streamline response, hence reducing system errors and detection time. Incident response tools provide professionals with the necessary information to know what to do once an abnormality has been detected within a given system.


Prevention is key to incident response. The main intent of creating a great IR program is to mitigate cyber-attacks and deal with other system vulnerabilities and exploits. However, your first line of defense is to keep your system safe and employees empowered to defend and react in case of an incident or security breach.

The most significant and urgent security incidents are those that can directly affect your employees. Malware, phishing attacks on executives, and misconfigured computer systems and software that black-hats can exploit for further penetration and enumeration. With all the know-how on computer security and an accompanying A-class tool at our disposal, there is no need to offer hackers with low hanging-fruits. Unencrypted data, missing patches, and weak passwords can easily lead to an incident or security breach. Although that’s how breaches normally occur, it is upon every incident response team to up their game and identifies where the gaps and opportunities lie.