7 Phases of Incident Response
Date: 1 February 2022
Cyber Incident Response Planning is always on the radar of businesses concerned about cybersecurity. This is because they’ve taken cognisance of the fact that sooner or later they will become victims of a security incident.
Sensitive data and confidential information are the new gold in the digital age, and cyber criminals are naturally always in pursuit of this goldmine. And since it’s only a matter of time before a business is attacked, it would be wise to be prepared with a solid incident response plan. But what does an incident response plan really consist of and what are the key 7 cyber incident response phases?
In this blog, we discuss the 7 phases of the cyber incident response process and how you can create your own effective and compelling cyber incident response plan.
What is an Incident Response Plan?
Before we delve into what the 7 incident response phases are, it is imperative to get into a brief discussion of Incident Response Planning.
A Cybersecurity Response Plan, put simply, is a plan of action that your business will implement when a security event occurs. It should ideally be a crisp, brief, to-the-point document that details the response steps to be taken by the incident response team (IR team) and the information security team when a ransomware attack or a cyber-attack does occur.
The plan should also enlist the roles and responsibilities of everyone in the executive team and management who may be involved in the incident handling process.
What has to be done with the affected user accounts and the affected systems? What chain of communication has to be followed? Who has to be informed when, how and by whom? Do the law enforcement agencies have to be contacted and if yes, when?
All these questions pertaining to the immediate aftermath of the period in which the incident occurs should ideally be covered in the response plan.
You can take a look at our FREE Incident Response Plan Template to start building out your own incident response plan.
What are the 7 Phases of Cyber Incident Response?
As per the National Institute of Standards and Technology or NIST as it’s popularly known, an incident response plan has 4 main phases. However, many cybersecurity experts break this down into a more comprehensive or detailed list of 7 phases of incident response. So let’s take a look at what these 7 steps are:
1. Preparation: As the name suggests, this phase of the incident response plan comes before the incident or data breach even takes place. It is the ultimate step that can make or break your response to cybersecurity events.
The preparation stage of Incident Response Planning takes into account that the business is highly likely to be attacked sooner or later and seeks to ready the organisation and its key stakeholders for this imminent eventuality.
This phase is all about risk assessment, evaluating where the maximum vulnerabilities lie, which assets are most likely to be attacked and what the business will do once they are attacked.
Defining clear channels of communication, establishing which response checklists will be followed, making sure business continuity plans are in place etc. are all part of this critical phase of incident response. Offering high-quality cybersecurity training to your staff also falls under the ambit of this phase.
2. Identification: This phase is obviously all about identifying the incident or cybersecurity breach that has occurred. Identifying the breach in the 'Golden Hour' is critical to ensuring the cybersecurity emergency doesn't spiral out of control.
This phase starts with assessing if the event in question is really a cyber-attack and if yes, how intense is it? Filtering out false positives makes up a big part of this phase.
Then come questions about the aspects of the business that have been compromised. What exact damage is the incident causing? Classifying the cybersecurity incident depending on the nature of the attack is also part of this phase of incident response.
3. Containing the situation: Controlling the impact of the attack makes up the next step of incident response. You must already have a strategy in place about how to contain the cyber incident from snowballing. As we know, just deleting everything isn’t ever the right solution as you could lose out on valuable evidence in the process.
Make sure that under the containment phase of incident response, you take short term and long term strategic elements into consideration. Aspects such as which systems will be taken offline in case of a breach and what backup processes are in place must be discussed in this phase.
4. Eradication: This step in incident response deals with eliminating the cause of the breach. Once you’ve contained the situation and zeroed in on the basic root cause of the problem, you need to figure out a solution to eradicate it.
Apart from securely weeding out the malware, this phase also lays emphasis on patching vulnerabilities and updating old versions of software.
5. Recovery: Once the vulnerabilities have been patched and malware has been eliminated, recovery or restoration is the next phase. This step focusses on getting the systems up and running again.
Monitoring the systems and making sure that they’re properly patched up is critical to operations swinging back to normal again.
6. Lessons Learned: One of the most critical aspects of any kind of incident response planning is reflection. This is also often referred to as 'Post Incident' actions. Looking back at the incident and evaluating how it was handled, gauging whether the response plans were enough and assessing if all key decision-makers and stakeholders behaved with agility and precision… these are some of the questions that you can ask in this phase of incident response.
If any changes are to be made in the incident response plan, this would be the phase to introduce them in. Refer to our Cyber Incident Response Plan Template to see if your plan covers all the vital aspects of good incident response.
Many organisations also like to bring external experts or cybersecurity advisors on board at this stage to help them evaluate their incident response strategies and how they can be improved going forward.
7. Test to Build Muscle Memory: Congrats, you managed to survive a grave security incident. But don’t waste too much time celebrating. Your hackers are not going to back down. In fact at this very moment, they’re probably planning how to strike back again and strike harder.
This is why you need to continually test and rehearse your incident response plans and try and find any loopholes or gaps in them that criminals may try to exploit next.
There is no time to rest in the cybersecurity cat-and-mouse race so unfortunately you can’t really take a break. You need to start testing whatever changes you may have recently made to your incident response plans in this phase.
To know more about how you can prepare your employees better for a cyber-attack, check out our NCSC-Certified Cyber Incident Planning & Response Course.