Incident Response

Incident Definition

  • NIST - 'An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.'
  • Cybrary - 'An incident is an unplanned disruption or degradation of a network or system service and needs to be resolved immediately.'

NIST Incident Response Process

Could not load image

Incident Response Plan

  • The documentation of a predetermined set of instructions or procedures to to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information system(s). [NIST]
  • NIST Computer Security Incident Handling Guide (SP 800-61) provides guidance on exact elements to include:
    • Mission, strategies, and goals of incident response.
    • Senior management approval.
    • Approach to incident response.
    • Metrics for measuring response capabilities and effectiveness.
    • Roadmap for maturing response capability.
    • How the incident response program fits into the organization.

Incident Response Plan (IRP)

  • Documented incident types/category definitions.
    • Natural
    • Mechanical
    • Accidental / Human Error
    • Malicious / Compromise C-I-A
    • Policy Violation
  • Roles and responsibilities.
    • Granting clear authority for actions to be taken during an incident.
    • Who can/does perform IRP activities:
      • Incident Alerting
      • Identification / Triage
      • Decisions Making - Must be an organizational executive.
      • Equipment Collection / Confiscation
      • Forensics - Independence / Segregation of Duties
      • Repair / Recovery
      • Reporting
      • Communicating - Talking outside the organization.
  • Cyber-incident response teams.
    • Computer Emergency Response Team (CERT)
    • Cyber Incident Response Team (CIRT)
    • Computer Security Incident Response Team (CSIRT)
    • Formalized, standing, or ad-hoc.
    • Internal or external.
    • Central, distributed, or coordinating.
    • Includes:
      • Systems, network, database admins.
      • Legal
      • HR
      • Management
  • Reporting requirements/escalation.
    • Document.
    • Included in many help desk systems.
    • Collecting evidence (physical, virtual, etc.)
    • Reporting / Disclosing To:
      • Internal Management (Legal, HR, CEO, CFO)
      • Legal Authorities / Law Enforcement (Local, FBI)
      • Affected Organizations / Clients / Customers
      • CERT (
      • Internet Crime Compliance Center (IC3) -
      • Insurance (Cyber)
    • Also needs to report what outside agencies (if any) should be notified.
    • Escalation guidelines would indicate under what circumstances you need to ask for additional assistance.
  • Testing, Exercises, and Training.
    • Be prepared.
    • Prepare each role with training.
    • Practice using real world scenarios.
    • Test systems and processes to find issues.
    • Tabletop and functional exercises.

Incident Preparation

  • Create an "Incident Response Plan" or IRP.
  • Hardware/Software/Communications
    • 'Jump Kit'
  • Testing & Exercises
  • Creating Checklists
    • Technical
    • Procedures
    • Contacts

Incident Detection / Identification / Analysis

  • Alerting
    • Logs - IDS, SIEM, AV
    • Humans
  • Incident triage / validation.
  • Determine incident scope.
    • What and who is affected.
    • Number of systems affected.
    • Identification type:
      • system
      • data
      • personnel
      • etc
  • Analysis - Impact and Recoverability Effort
  • Escalation
  • Documentation & Notification

Incident Containment

  • Ensuring incident doesn't continue or spread.
  • Securing the scene / limiting access / isolating systems (quarantine)
    • Physical
    • Network
    • Logical
  • Gathering Evidence


  • Find and eliminate the root cause.
  • Removing elements of the incident, such as malware.
  • Actions:
    • AV Clean-Up
    • Patching / Updating Software
    • Re-Imaging Systems
    • Restoring from Backup

Incident Recovery

  • The process of restoring and returning affected systems and devices back into your business environment.
  • Repair
    • Restoring from backup
    • Patching
    • Hardening systems (using known baseline)
    • Access control (network or systems)
    • Authentication (change passwords)
  • Procedural Changes
  • Documentation

Post Incident

  • Lessons Learned
  • After-action meeting with all Incident Response Team members.
  • Capture actions such as the cause, the cost, and recommendations for preventing future incidents.
  • Discuss what you've learned from the data breach.
  • Regulatory or legal requirements.
  • Update IRP
Copy link
On this page
Incident Definition
NIST Incident Response Process
Incident Response Plan
Incident Response Plan (IRP)
Incident Preparation
Incident Detection / Identification / Analysis
Incident Containment
Incident Recovery
Post Incident