The 7 Steps of Incident Response 

by Bob Welch / July 28th, 2023

In today’s ever evolving threat landscape, you must have a plan in place for how your organization will face threats and respond to them when an attack occurs. Unfortunately, incidents are a matter of when not if, so having a response plan is the best way to guarantee your organization survives after an incident occurs. 

When an incident occurs, it may feel like you have a million steps to take before your business can run smoothly again, but in reality, your incident response plan can be boiled down to seven manageable steps.  

Incident response can be overwhelming no matter the size of the organization. However, most of the industry guidance is for organizations with large teams and resources. For larger organizations, incident response plans intend to minimize incident impact and define team responsibilities.  

For smaller organizations, incident response may seem harder to implement, but it’s not impossible. Smaller organizations typically depend on personnel to handle multiple responsibilities across multiple domains as opposed to large departments handling specific tasks.  Because of this structure, incident response plans will need to assign responsibilities to individual roles or personnel rather than to entire departments.   

Regardless of the size, every organization needs to have an incident response plan of their own ready to implement as needed. Below are common phases to include in your incident response plans: 

 1. Preparation

Create the IRP before an incident happens. Even if this seems obvious, having a plan in place will make the response more efficient as it allows for a more rapid response. Imagine if an incident took place and you had to make up a plan as you went along. This process would slow down your response time and would cause more damage to your organization than if you planned ahead.  

2. Identification 

You should be performing risk assessments to help identify threats to your organization and using pen testing and vulnerability scans to identify weaknesses in your defense.  Once these vulnerabilities are identified, your organization can make proper plans to strengthen or account for the risk they pose.   

However, if an incident occurs, you need to identify what kind of incident it was, where it took place, and how it was able to occur. Next, determine the severity of the incident and the course of action that needs to be taken. These steps should be outlined in your policies and procedures in the preparation step.  

3. Containment  

Have procedures available to isolate and contain affected systems. This ensures the incident doesn’t damage more of your environment than it already has. A great way to accomplish this is to have a playbook for common incidents that includes information like who needs to be notified within the organization.  

Make sure you have the proper tools in place that will help with the containment of an incident. The faster you are able to contain an incident, the better you can prevent more damage from occurring.  

4. Eradication  

After you have contained the threat, you can use tools and procedures to eliminate the threat from your system. Forensic analysis should be completed, and logs should be kept throughout the remediation process. The playbook can also help here by identifying methods to use to remove the threat. 

5. Recovery  

This is where you will bring your services back online after you have eradicated the threat. However, make sure you continue ongoing monitoring following the remediation of an incident to be certain that it has been fully resolved and nothing threatening is lingering in your network. Continuous monitoring will also detect any suspicious behavior going forward. 

6. Documentation  

Write up the events that occurred during the incident.  This is a great time to create a playbook for similar incidents in the future. Document what your team learned from this situation and how it can be prevented or remedied more quickly in the future.  

7. Testing 

Test your incident response plan periodically.  This will ensure that the plan is up to date, that the roles and responsibilities of the personnel are still relevant, and confirm your team still knows how to execute the proper response protocols. A great way to test any plan is to conduct a table top exercise. Gather your incident response team and create a likely incident or scenario that the team can walk through to make sure everyone knows their roles and responsibilities in an incident. 

There are many variations of these phases, and, depending on your organization, these may be condensed down into fewer steps or expanded into even more steps if the phases require more than one department or team in your organization. 

No matter what you decide, having a plan is always going to be the better solution for maintaining the security and integrity of your organization. 

Prepare to Face Incidents with Confidence When You Partner with KirkpatrickPrice 

Creating a reliable IRP can feel overwhelming whether you’ve created one before or not. We understand you want to prepare your organization to face today’s threats confidently, and you need an incident response plan you can trust. We want to partner with you to create the defenses that protect your organization’s unique needs, and hopefully we can make security and compliance less intimidating in the process.  

If you have questions about any of the steps of an incident response plan or need help implementing incident response best practices, connect with one of our experts today.  

About the Author

Bob Welch

Bob Welch has over 20 years of experience in the cybersecurity space and is committed to providing a safe, efficient and stress-free computing environment to his clients. He uses his ability and curiosity to implement technology in unique ways to help end users get the most value from their investment. Bob holds CISSP and CISA certifications.