The 6 Phases of Incident Response

Every day in the news we hear that another company has been subject to another data breach, of which may include sensitive data which us, as individuals may also be caught up in.


Whilst avoiding an attack is the best solution, we all know that reality doesn't make this possible; there is no such solution that can prevent all attacks. Even if you’ve outsourced your IT or your data lives in the cloud, ultimately the responsibility for keeping your customer data safe falls on your shoulders.

In the unfortunate event that you or an organisation that you have interests within suffers a breach, there should be a plan prepared to respond to the breach immediately. To assist you, Forint has created an easy to implement plan, built upon industry standards that outlines the most effective ways to respond and recover from a cyber security incident.

There are different areas of need within each process which should be considered; the 6 phases of incident response are as follows:

  • Preparation

  • Identification

  • Containment

  • Eradication

  • Recovery

  • Lessons Learned

Let’s take a closer look at each step, and point out the things you need to tackle.

1. Preparation

This phase will be your incident response preparation work horse and, in the end, the most important step to protect your company. Part of this process covers:

  • Create incident response simulation scenarios and regularly conduct simulated data breaches to test the response plan for an incident.

  • Make sure all elements of the incident response plan are approved and funded beforehand

  • Your response plan should be well defined, outlining the roles and responsibilities of each one in detail. Then the program has to be checked to ensure the workers work as they have been taught.

The more prepared the workers are, the less likely they can come up with crucial errors.

2. Identification

Identification is the method where you decide whether you were in fact breached by searching for anomalies from regular operations and activities. A breach, or incident, may have occurred in several different places.

Normally a company discovers that they have been breached in one of four ways:

  • The breach is internally detected, such as checking device logs for intrusion detection, alerting processes, network anomalies or malware warnings for anti-virus scans.

  • Your bank will inform you if there is a potential violation based on company credit card fraud reports.

  • Law enforcement discovers the violation when investigating the selling of stolen card data.

A customer says to you that your company was the last location they used their card to run up fraudulent transactions before it started.

3. Containment

When a breach is first detected, your initial impulse can be to delete anything safely, so that you can get rid of it. This would actually damage you in the long run, though, because you are going to lose important information that you use to assess where the attack occurred and to formulate a strategy to prevent it happening again.

Contain the breach, instead, so it won’t spread and cause more damage to your company. Disconnect affected devices from the Internet, if you can. Have ready management techniques for the short and the long term. It’s essential also to have a robust back-up program to help recover business operations. Any corrupted data will thus not be lost forever.

It’s also a good time to upgrade and patch your systems, check your remote access protocols, change all credentials for users and administrative access and harden all passwords.

When a company is aware of a potential violation it is understandable to quickly want to repair it. However, you can unintentionally damage important forensic data without taking the appropriate measures and including the right people.

Forensic investigators can use this data to assess how and why the incident happened, as well as to formulate a strategy to avoid similar potential attacks.

When you encounter an intrusion, remember to:

  • Don’t panic

  • Don’t make hasty decisions

  • Don’t wipe and/or re-install your systems and virtual environments

4. Eradication

When you have contained the incident, the root cause of the breach needs to be identified and removed. This means that all malware should be removed safely, devices should be toughened and patched again and updates should be implemented.

You have to identify and remove practices, processes, or technologies that contributed to the violation after the incident has been contained. This means that all malware should be removed safely, devices should be toughened and patched again and updates should be implemented.