The 6 Phases of Incident Response

Every day in the news we hear that another company has been subject to another data breach, of which may include sensitive data which us, as individuals may also be caught up in.


Whilst avoiding an attack is the best solution, we all know that reality doesn't make this possible; there is no such solution that can prevent all attacks. Even if you’ve outsourced your IT or your data lives in the cloud, ultimately the responsibility for keeping your customer data safe falls on your shoulders.

In the unfortunate event that you or an organisation that you have interests within suffers a breach, there should be a plan prepared to respond to the breach immediately. To assist you, Forint has created an easy to implement plan, built upon industry standards that outlines the most effective ways to respond and recover from a cyber security incident.

There are different areas of need within each process which should be considered; the 6 phases of incident response are as follows:

  • Preparation

  • Identification

  • Containment

  • Eradication

  • Recovery

  • Lessons Learned

Let’s take a closer look at each step, and point out the things you need to tackle.

1. Preparation

This phase will be your incident response preparation work horse and, in the end, the most important step to protect your company. Part of this process covers:

  • Create incident response simulation scenarios and regularly conduct simulated data breaches to test the response plan for an incident.

  • Make sure all elements of the incident response plan are approved and funded beforehand

  • Your response plan should be well defined, outlining the roles and responsibilities of each one in detail. Then the program has to be checked to ensure the workers work as they have been taught.

The more prepared the workers are, the less likely they can come up with crucial errors.

2. Identification

Identification is the method where you decide whether you were in fact breached by searching for anomalies from regular operations and activities. A breach, or incident, may have occurred in several different places.

Normally a company discovers that they have been breached in one of four ways:

  • The breach is internally detected, such as checking device logs for intrusion detection, alerting processes, network anomalies or malware warnings for anti-virus scans.

  • Your bank will inform you if there is a potential violation based on company credit card fraud reports.

  • Law enforcement discovers the violation when investigating the selling of stolen card data.

A customer says to you that your company was the last location they used their card to run up fraudulent transactions before it started.

3. Containment

When a breach is first detected, your initial impulse can be to delete anything safely, so that you can get rid of it. This would actually damage you in the long run, though, because you are going to lose important information that you use to assess where the attack occurred and to formulate a strategy to prevent it happening again.

Contain the breach, instead, so it won’t spread and cause more damage to your company. Disconnect affected devices from the Internet, if you can. Have ready management techniques for the short and the long term. It’s essential also to have a robust back-up program to help recover business operations. Any corrupted data will thus not be lost forever.

It’s also a good time to upgrade and patch your systems, check your remote access protocols, change all credentials for users and administrative access and harden all passwords.

When a company is aware of a potential violation it is understandable to quickly want to repair it. However, you can unintentionally damage important forensic data without taking the appropriate measures and including the right people.

Forensic investigators can use this data to assess how and why the incident happened, as well as to formulate a strategy to avoid similar potential attacks.

When you encounter an intrusion, remember to:

  • Don’t panic

  • Don’t make hasty decisions

  • Don’t wipe and/or re-install your systems and virtual environments

4. Eradication

When you have contained the incident, the root cause of the breach needs to be identified and removed. This means that all malware should be removed safely, devices should be toughened and patched again and updates should be implemented.

You have to identify and remove practices, processes, or technologies that contributed to the violation after the incident has been contained. This means that all malware should be removed safely, devices should be toughened and patched again and updates should be implemented.

If you are doing this on your own, or hiring a third party to do it, you have to be detailed. If any sign of malware or security problems remains in your systems, you may still lose valuable data, and may increase your liability.

Whether you are doing this, or a third party, you need to be thorough. When any sign of malware or security problems is left in your systems, you can also lose confidential data, may your liability.

5. Recovery

This is the method by which affected systems and equipment are restored and returned to the business environment. It’s crucial to get your systems and business operations up and running again during this time, without the concern of another breach.

This is the method of repairing and returning damaged systems and equipment back into the business environment to recover from a data breach. It’s crucial to get your systems and business operations up and running again during this time, without the fear of another breach.

After finding and eradicating the cause of the breach, you need to ensure that all systems are repaired, patched, updated, and checked before you consider re-introducing the previously compromised systems back into your production environment.

6. Lessons Learned

Have an after action session with all members of the Incident response team after the investigation is complete, and review what you have learned from the data breach. This is where you can examine anything relevant to the violation and log it. Determine what went well in your response plan, and where some holes were found. Learning from both mock and actual incidents will help strengthen the structures against potential attacks.

Nobody really wants to go through a data breach but preparing for one is important. Prepare for it, know what to do when it happens, and absorb all you can later on.

Meet with all incident response team members after the forensic investigation and discuss what you have learned from the data breach, reviewing the events in preparation for the next attack.

This is where you are going to examine the breach all over. Determine what went well in your response strategy, and what didn’t. Then update your response plan to the incident.

Forint have a suite of solutions designed to assist organisations with each of the stages described above, of which can be seen by accessing our site at, or emailing us directly at +44(0)7826527691.

For more information upon our services, please download our service description sheet for details upon our Incident Response Support Services, of which provide support to your organisation from planning, through to training and operational support in the link below:

Forint Cyber Incident Response Services
Download • 314KB

38 views0 comments