A Roadmap to Incident Response

6 steps for Effective IR Planning



Vice President, DFIR

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox

Cyberattacks have significantly increased over the years and have become more complex than ever. In order to safeguard your business from vulnerabilities, it is important to ensure that you have a response plan in place that can be activated in times of crisis—especially when your reputation, revenue, and customer relationships are on the line.


Much like fire drills, incident response is a business process that should be actively and regularly practiced such that it becomes second nature even during high-pressure situations.


An incident response plan must be put in place to guide in mitigating attacks and recovery. This plan must follow the SANS Institute and NIST prescribed processes for a methodical and more organized approach (See article on What is Incident Response? Definition, Team, Plan).


However, it must be noted that not all cybersecurity incidents are similar in nature and importance. While some may require rigid investigations due to the complexity of the attack and the size of the damage, others might simply be login failures or isolated cases.


That said, your company must keep a list of possible event and incident types with specifics on when each event needs a thorough investigation. You will then have to modify your incident response processes accordingly.

Incident Response Plan Process

Before elaborating on each step of the Incident Response Process, take a look at the phases developed by SANS Institute and NIST that must be considered in conducting incident response:

SANS Institute:

  1. Preparation

  2. Identification

  3. Containment

  4. Eradication

  5. Recovery

  6. Lessons Learned


  1. Preparation

  2. Detection and Analysis

  3. Containment, Eradication, and Recovery

  4. Post-Incident Activity

From the get-go, both SANS Institute and NIST clearly have similar elements and order. The only difference is that NIST has grouped some elements into a single step. Nevertheless, both programs provide guidance on key considerations for an effective incident response plan.


'Preparation' not only better arms the IR efforts in case of a future incident but it will also greatly reduce the risk that a response will be required in the first place.


This stage is critical, and much effort should be put to ensure the organization is as prepared as possible.


Some (non-exhaustive) questions to consider:


  • What elements comprise your security infrastructure?

  • Who is in your response team? 

  • Who are the decision-makers?

  • Do you need experts in Media, Legal, HR, or IT Systems?

  • Do you have reporting obligations to external authorities? If so, who will liaise with them and when?

  • Do you have adequate internal skills or do you need trusted partners to assist?

  • Are you capable of capturing evidence for use in potential criminal or civil proceedings?


Prioritize your assets. This includes listing not just your critical assets but even your systems, networks, servers, and applications. Assess their value and rank them based on importance. Then, observe the traffic patterns for these assets. Determine the norm and be aware of any discrepancies.


Set up appropriate policies and standards to follow in different situations such as network access, login guidelines, use of strong passwords, file sharing, as well as email and other platform access.


Strategize on how to manage the different types of cases and incidents. Rank each possible event base on priority, severity, and organizational impact. Provide notes on each event, specifying how it can be solved, what steps to take to remediate it, and what tools to use, if any.


Set up a communication plan among all stakeholders involved. Assign responsibilities among individual contact persons, what form of communication to use, when they should be contacted and during which kinds of incidents. Do not forget to include and collaborate with the Legal, HR, and Procurement teams (including external partners) to move forward with requests much more quickly and efficiently.


Properly document all events and provide updates. Include information about checklists, questions to be answered in case of emergencies, instructions, and other important information. Conduct regular cyber hygiene checks and updates.


Provide access control, tools, and training. You must give specific access to the company’s network and systems to your Incident Response Team in order for them to conduct all necessary actions to mitigate the crisis. Likewise, proper tools and training must be available to them to ensure that they are well-equipped to fix issues that will be discovered during the incident.

"An organization's network will host literally millions of 'events' ... The trick is to be able to identify the events that are unauthorized or have an adverse impact on your systems and business"

Identification (or Detection and Analysis)

An organization's network will host literally millions of 'events' such as system log-ons, software updates, network connections established, and more. Over 99.9% of these events will be normal behavior for your environment.


The trick is to be able to identify the event or events that are unauthorized or have an adverse impact on your systems and business. These are called 'incidents', and incidents must be investigated.


In order to prevent incidents from happening, regular and strict monitoring must be observed. This will help in detecting and reporting any anomalies or potential security risks. Monitoring security events include constant review of log files, error messages, intrusion detection systems and firewalls.


At the onset of an attack, identifying the root cause of the breach is and should be the main objective. Gather all necessary details about the incident. Find out who, what, when, where, and how it happened. Check from different entry points and indicators including user accounts, system administrators, network administrators, the SIEM, and logs.


Alert and report the incident to the proper authority by submitting an incident ticket. Classify the incident based on the provided incident types. Analyze and record the extent of the event, especially its damage/s on the systems.


While this is where SANS Institute and NIST differ the most, the essential focus of these steps are to contain the damage, eradicate all threats and restore all systems back online.


Part of containing the damage is to ensure that the incident will not escalate further. This includes isolating the infected accounts, servers, or networks to the rest of the environment; backing up files and systems; and temporarily repairing any damaged material. Aside from these, it is important to keep all evidence safe from destruction.


Note that managing containment can be tricky as many stakeholders may be affected and certain efforts may even tip off the attackers that you are aware of their efforts. As such, decision-makers need to be informed and empowered. Consideration must be given to balancing the risk of continuing normal operations with the actions required to mitigate the threat.


Following Identification and Containment, there should be enough information to determine the root cause of the incident and how to best disrupt the attacker and remove them from your environment. The priority is to neutralize and remove all threats, including malicious activities and contents. Consider conducting a complete reimaging of the system’s hard drive to safeguard from subsequent attacks.


Any affected systems or platforms will need to be restored to proper working order following an incident. Examine any connected or related systems to ensure they are operating as normal with no signs of compromise.


Security professionals must coordinate these efforts with the business and operations teams to minimize disruption and maximize efficiency. Lastly, recovery requires establishing more sophisticated monitoring and detection techniques for combating future threats.

Lessons learned (or Post-Incident Activity)

This final step involves the assessment of the entire incident, from how it was prepared for, managed, and addressed. While many firms regrettably skip this process, it is absolutely essential to recognize your victories and failures during the entire process.


Systematic reflection highlights areas for sustainment and improvement for the future. This final step will serve as training, from which you are able to use to update your current incident response plan and the list of incidents you have already encountered.


What did the organization and stakeholders learn from this incident? Could the incident have been prevented? Was it handled correctly? Do we have the right people and resources to detect and manage such incidents in the future?


Prepare briefings for the board, shareholders, and reporting agencies where required, and always remember: security is ultimately a human problem – can we better train our employees in any way?

Interested in speaking to a DFIR specialist? 

Additional Resources