4 min read

Four Steps of an Incident Response Plan

Four Steps of an Incident Response Plan

Hackers attack every 39 seconds, on average 2,244 times a day. (University of Maryland)


Incidents are cyber events that can include a cyberattack, breach, or compromise that disables your systems and networks.


Know the Difference: Security Event vs. Security Incident


A security event, according to the National Institute of Standards and Technology (NIST) is “any observable occurrence in a system or network.” Security events don’t always result in breaches but could still threaten the integrity of an organization’s IT infrastructure.  


A security incident is a violation of security policies or standard security practices, which results in negative consequences. Incidents can include someone clicking on a phishing link, or a cyber attack that disables your systems and networks.


Why does this matter? An employee receiving an email registers as an event (the email has cleared spam filters and firewalls). If it’s a phishing attack, it doesn’t become an incident until someone clicks! It’s your responsibility to ensure events don’t become more serious.



Incident Response Defined


Incident Response (IR) is the managed approach an organization uses to prepare, detect, contain, and recover from a cyberattack. A cyberattack or data breach can be so damaging, potentially affecting customers, intellectual property, personally identifiable information (PPI), revenue, and ultimately reputation.


Having an incident response plan in place aims to reduce this damage and recover as quickly as possible. Additionally, organizations may discover that their insurance company will not accept their claim if they did not take certain predetermined steps. Immediately contact your insurance company and get direction from them at the very beginning of any IT remediation.



What are the Four Steps of an Incident Response Plan?


Incident response practices are about preparation—not only establishing an incident response capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring that systems, networks, and applications are sufficiently secure.


According to the National Institute of Standards and Technology (NIST), there are four key phases of Incident Response:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Recovery
  • Post-incident Activity


Incident Response

Image Courtesy of: NIST


     1. Preparation

To prepare for incidents, compile a list of IT assets such as networks, servers, applications, and endpoints (such as C-level laptops). Then rank them by the level of importance, identifying which ones are critical or hold sensitive data.


Set up monitoring so you have a baseline of normal activity to be used for comparisons later. Determine which types of security events should be investigated and create detailed response steps for common types of incidents. The key to this process is effective training to respond to a breach and documentation to record actions taken for later review.


     2. Detection and Analysis

The next phase is to determine if a security incident occurred, its severity, and its type. This is where you go into research mode. Gather everything you can on the incident and analyze it. Determine the entry point and the extent of the breach.


Detection and analysis involve collecting data from IT systems and security tools and identifying precursors and indicators, and then determining if these are part of an attack or if it is a false positive. Precursors and indicators are specific signals that an incident is either about to occur or has already occurred or is happening now. If the indicators prove valid, begin documenting all facts in relation to the incident and all actions taken throughout the process.


     3. Containment, Eradication, and Recovery

The goal of the containment phase is to stop the attack before it can cause further damage. This can be accomplished by taking specific sub-networks offline and relying on system backups to maintain operations. Determine what critical services to keep available to customers and employees.


After the incident has been successfully contained, you should act to remove all elements of the incident from the environment. This might include identifying all affected hosts, removing malware, and closing or resetting passwords for breached user accounts.


Finally, once the threat is eradicated, restore systems and recover normal operations as quickly as possible, taking steps to ensure the same assets are not attacked again.


At all times, these processes should be documented, and evidence should be collected. There are two reasons for this: one, to learn from the attack and increase the security team’s expertise, and two, to prepare for potential litigation and a cybersecurity insurance claim.


     4. Post-incident Activity

This step provides the opportunity to learn from your experience so you can improve the process and better respond to future security events. Involved team members and partners should meet to discuss specific decisions the team made during the incident, and learn from your experience so you can better respond to future security events. Protecting your organization requires a determined effort to constantly learn and harden your network against malicious actors.


Tempting as it may be to skip, with your never-ending to-do list, this step is strongly recommended.


Incidence Response Plan


In short, an incident response plan empowers your organization to develop policies that prioritize the security of your employees, clients, customers, and business associates.



Pair your Incident Response Plan with Managed Detection and Response (MDR)


Managed Detection and Response (MDR) purpose is to help companies and organizations improve the way they detect cyber threats, respond to incidents, and continuously monitor their systems and assets in real-time. 


MDR is a unique combination of technology and human skills that provide a greater focus on detecting and responding to breaches. The software is important but the most vital part of MDR service is the team of analysts that watch your network 24/7.


Managed Detection and Response (MDR) should include:

  1. Live breach detection: looking at all indicators of any compromise coming in.
  2. Active threat hunting and alert triage to try and make sense of what’s going on.
  3. Means to take some sort of active defense response and stop the malicious event.
  4. Use preventative technologies to automatically stop the compromise and neutralize the threat.

In today’s world, it’s critical to reduce the time of detection to hours if not minutes vs days, weeks, and months.


MDR Free Trial


Teknologize is a SOC 2 certified, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:

  • Tri-Cities, Washington 509.396.6640
  • Yakima, Washington 509.396.6640
  • Bend, Oregon 541.848.6072

Questions about your IT or Cybersecurity? Give us a call today!


Teknologize Successfully Completes Another SOC 2 Audit

Teknologize Successfully Completes Another SOC 2 Audit

At Teknologize, we continually invest in security best practices to ensure that our client’s data stays safe and secure. As a part of an ongoing...

Read More
IT Profitability Roadmap and Checklist for Maximizing Efficiency and Cost Savings

IT Profitability Roadmap and Checklist for Maximizing Efficiency and Cost Savings

If you’re hoping to cut costs and boost profitability without compromising productivity or efficiency, assessing the technology you use in day-to-day...

Read More
Top Tax Scams To Watch Out For In 2024

Top Tax Scams To Watch Out For In 2024

Tax season is around the corner, which means so are tax scams. Without fail, every year, individuals and business owners alike fall victim to tax...

Read More