Incident Response Plan Phases

As per Statista, the global average cost of a data breach in 2020 was $3.86 million, highlighting the immediate need for an incident response plan in organizations worldwide.

A cyber incident response plan is mainly responsible for outlining the procedure to be followed after the occurrence of a security breach, apart from other cyber threats. Without an incident response plan (IRP), the process of managing the damage of a security breach becomes cumbersome and confusing. This leads to an unnecessary waste of time and money. With the presence of rapidly spreading malware, as we witnessed in the case of WannaCry, the infection can easily cross international borders in no time.

Drafting a response plan after the occurrence of a security breach might appear to be a time-consuming approach. However, an efficient IRP will lead you through the whole incident and will help you approach the concerned person with an appropriate operation to resume the victimized entity as quickly as possible. An incident response plan is crafted as per each company’s specific requirements, keeping its circumstances in mind. In short, one company’s cyber incident response plan differs from the other.

What’s an Incident Response Plan in Actual Terms?

An incident response plan can be defined as a set of instructions to offer a structured approach to detect, resolve, and restore the damage that occurred after a cybersecurity breach (usually referred to as a security incident). An IR plan identifies and specifies the roles and responsibilities of the IR team at the time of the cyberattack.

An IR team is more commonly known as the Computer Security Incident Response Team (CSIRT). The team ensures that the breach can be counteracted as per the plan in the least possible time and with more efficiency to keep the damage and cost of recovery minimal.

These types of plans are highly useful in dealing with daily work threats which include cybercrimes, data loss, and denial of services.

Elements of Incident Response Management

Detailed PlanFor optimal management of incident response, it is crucial to have a detailed plan. This plan must prepare the team to deal with threats, identify the severity, isolate incidents and eradicate underlying issues. Moreover, the plan must also include how to recover production systems and how to conduct a detailed analysis to prevent future threats.
Recruit the Right PeopleOptimal management of incident response also involves recruiting the right people for different jobs. Some of the roles you would need to recruit include incident response manager, threat researcher, security analyst, corporate communications, legal representatives, and external security forensic experts. You might also want to consider recruiting for risk management and human resources.
ToolsA big part of the incident response plan is the inclusion of incident response tools to investigate and mitigate threats. Using such tools can help analyze attacks, receive alerts, and identify security breach events that might have been missed because of insufficient resources. Having said that, these tools work alongside current security measures, allowing your incident response team to investigate threats such as password attacks, phishing, data leakage, malware infections, and abuse of privileges, among others.

Reasons to Have an Incident Response Plan

The following are some of the most important reasons why your organization requires an incident response plan:

Data Protection

Data protection is the topmost priority of any business. If your organization has a comprehensive incident response plan, then the incident response team can protect the data proactively. Moreover, if the data falls into the wrong hands, it can be used for ransomware or to launch a series of targeted attacks, thus making it necessary to have a detailed and functional incident response plan.

Protect Trust and Reputation

If an organization fails to handle a security breach then it risks losing all or most of its customers. According to IDC, 80% of customers would take their business elsewhere if a data breach happens. Therefore, not only are you losing customer trust and your reputation, but you also risk losing the business, making it imperative to have a comprehensive incident response plan.

Protect Revenue

Having a comprehensive cyber incident response plan protects your company from a potential loss of revenue. On average, a data breach can cost organizations a whopping $3.86 million. It means that a lot of revenue is at stake if a data breach happens at your organization. Even if you are a small to mid-sized organization, a data breach can still result in irreparable revenue damages.
You may also have to spend heavily on other costs such as forensic investigation, legal, remediation, and regulatory and compliance fines in the event of a security breach. Therefore, the more quickly your organization can detect the breach, the lesser will be the revenue loss. Thus, your organization is in need of a detailed and comprehensive cyber incident response plan.

Phases to Build a Robust Incident Response Plan

Even though each business follows a different incident response plan, all IRPs possess the same fundamental components as they go through the same six-phase process. Each of these phases deals with a few specific areas of requirement, which must be fulfilled to create an effective incident response plan for your organization.

Phase I – Preparation

Comprehensive preparation is the key to the very first response of the IR team toward any cyberattack. This phase is all about setting up appropriate procedures with the right tools before the occurrence of an incident. The major steps of this phase are as follows:

  • Identification of the most important assets and protecting them with all your efforts, and
  • Analysis of data collected from earlier incidents

To handle incidents, it would be convenient for you to keep a few major tools and resources in your arsenal. You must have a wide range of weaponry available. For instance, your organization should have multiple distinct communication and coordination mechanisms available if one of your mechanisms fails.

Major Tools, Software, and Resources Needed to Stay Prepared for an Incident


After this, start with the creation of security policies for required domains. These domains can range from general information security, network security, server security, application security, to several others. Once all your policy standards are defined, build a strategy to handle incidents. While strategizing, prioritize incidents, define roles and responsibilities, remediate incidents, and specify tools to be used for managing different incident responses, documentation of incidents, and both internal and external communications.

The last step of this phase will be to fine-tune your IR team with simulation exercises. Regular but different simulation exercises help the team to stay aware of the vastness of their roles and responsibilities.

Note: Manage active audit logs for all server network aspects and components to keep your pre-deployed incident handling assets in check.

A secondary aspect of this phase is the prevention of incidents by ensuring the security of your systems, networks, and applications. A cyber incident response plan should have the capability to keep the number of incidents significantly low. This is what makes an IRP successful. Though these responsibilities don’t fall under an incident response team, this step will definitely fill in the required security gaps. The most recommended practices for preventing incidents include network security, host security, malware prevention, and risk assessment. Even training and making users aware of the policies and procedures for the appropriate use of networks and systems fall under incident prevention.

Phase II – Identification

The second phase starts with the identification of the actual incident. You can start by answering: Is this an unusual behavior? Once you figure out the type of the incident, take a look at the affected areas of the network or the system. You will be looking for suspicious activities, unexpected new files, unusual login attempts, unanticipated user logins or user accounts, and so on. Thoroughly assess the situation as it simplifies the later stages. You can assess the situation by keeping a few basic questions in mind:



Elaborated documentation of your assessment not only helps in resolving the current situation but can also be kept for future references. After the assessment of the situation, it’s time to assess the type of incident you are facing. Usually, an incident falls under six classifications:

  1. Unauthorized access
  2. Denial of services
  3. Malicious code
  4. Improper usage
  5. Scans/probes/attempted access
  6. Investigation incident

Incident identification makes the whole process easier. For many organizations, this turns out to be challenging for three major reasons:

  • Detection of incidents through different means with different levels of detail. This could fall under automated or manual detection. Automated detection possesses capabilities like network- and host-based IDPs, antivirus software, and log analyzers. But in the case of manual detection (mainly reported by users as problems), it can or can’t be detected.
  • A high volume of potential signs of incidents. For example, a large-scale organization receives thousands or even millions of intrusion detection sensor alerts on an everyday basis.
  • Need for specialized technical knowledge and extensive experience for the accurate and efficient analysis of incident-related data.

The signs of an incident can either belong to precursors or indicators. Precursor signs indicate that the incident has the possibility to occur in the future, while an indicator shows that an incident may have occurred or may be occurring now.

A few of the common sources of precursors and indicators are IDPS, antivirus, antispam software, file integrity checking software, third-party monitoring devices, operating system and service/application logs, network device logs, information on new vulnerabilities and exploits, and people from within and outside the organization.

Phase III – Containment

Having gathered all the necessary information about the incident, the IR team should now be concentrating on the containment of the threat for preventing any further damage. The first step of this phase should be to isolate the infected machine from the network and to back up all the sensitive data of the infected system.

After this, you can go for a temporary fix to ensure that the incident won’t escalate its damage anymore. The primary goal of this phase is to minimize the scope and magnitude of the incident. Make sure you gauge the functional status of your infected system or network. To determine this, you can opt for any of the listed options:

Option 1: Disconnect the infected entity and let it continue with its standalone operations.

Option 2: Shut down the whole system immediately.

Option 3: Let the system operate as usual and keep monitoring its activities.

All these are feasible solutions that you can opt for to contain the issue at hand.

After establishing an effective containment strategy, it’s time to pay attention to evidence gathering and handling which doesn’t come into the picture very often. For instance, in many organizations, most malware incidents don’t qualify for evidence gathering and handling. The benefits of evidence gathering are not limited to resolving an incident, but it also helps in case of legal proceedings. Maintain an elaborate document containing the procedures for preservation of all the shreds of evidence including infected systems. The transfer of evidence from one party to another should always be accounted for future use. The detailed log for evidence should contain:

  • Evidence identifying information: Serial number, model number, hostname, MAC and IP addresses, and location
  • Evidence holder’s Information: Name, title, and phone number
  • Location, time, and date with time zone: For each occurrence of evidence handling

Phase IV – Eradication

In this fourth phase, the IR team should be working towards a permanent solution with the inclusion of a process responsible for restoring all the affected entities.

Eradication is a simple process of eliminating the threat out of your infected network or system. This phase should only start when all the other internal and external actions are completed. The two important aspects of this phase are as follows:

Clean-up: The process of clean-up should include running a powerful antimalware and antivirus software, uninstalling the infected software, rebooting or replacing the entire operating system and hardware (based on the scope of the incident), and rebuilding the network.

Notification: Notify all the personnel involved, according to the reporting chain.

It is advisable to create multiple common incident “playbooks” that can help the IR team to take a consistent approach to the incident.

Phase V – Recovery

At this stage, the compromised system or network will be brought back to life. From the data recovery to any remaining restoration process, this phase covers it all. It takes place in two steps:

Service restoration: As per the corporate contingency plans.
System/network validation: Testing and verifying the system/network in a functional state.

This phase makes sure that the infected entity is recertified as both secure and functional.

Phase VI – Lessons Learned

After the completion of the investigation, maintain detailed documentation of the complete incident. This last stage will keep your organization prepared for any future attacks and help you to gain value from incidents. It would be best for the IR team to arrange a review meeting after the successful handling of an incident. In this “lessons learned” meeting, pay close attention to the identification of necessary improvements for the existing security controls and practices. The practice of such periodical meetings can actually limit incidents. Ensure that this review meeting helps you in identifying existing security weaknesses and deficiencies in policies and procedures. As per the conclusions of this meeting, you can change your current IR plan. With this step, your IR team will evolve to reflect new threats and improved technology. This detailed document can also be used to train new members of the team. And, as the last step of this phase, create a follow-up report after each incident for future use.

Another advisable practice for the IR team would be to create an awareness message for the top management as well as for all staff on what happened (in case of an incident) and what lessons were learned by the IR team. The message can include the end-user if that incident impacts the end-user too.

Other Crucial Elements to Keep in Mind

icon box image

Consistent Testing

Consistent Testing

An effective incident response plan should be put to test before you practically activate it. The proactive work on your IR plan will help you to find loopholes in it and you can always improve as per your findings.

For this, you can regularly arrange for real-time simulation exercises.

icon box image

Flexibility with Minute Details

Flexibility with Minute Details

Keep your cyber incident response plan flexible so that the same plan can be applied to different types of cyberattacks. Its detailed nature will help you in organizing and recovering the whole process systematically in the least time possible.

Do You Want a Detailed Understanding of an Incident Response Plan?

EC-Council’s Certified Incident Handler (ECIH) program has been designed in collaboration with the most intelligent minds of the cybersecurity industry, especially incident handling and response experts around the globe. It was developed after a rigorous industry-wide job task analysis (JTA). The comprehensive JTA makes the ECIH program capable of handling all possible combinations of tasks, knowledge, skill, and ability, which makes you the best fit for scoring better opportunities.

The program covers all the phases of incident response in detail, including the financial and reputational impact on the organization. It provides you with hands-on lab experience with 50 labs and 800 tools on 4 major platforms, exposing you to the widest range of security incidents.

Considering the cutthroat competition in the market today, ECIH has been mapped to the NICE and CREST frameworks, which keeps the credential in line with your professional credibility.

Editor’s Note: Reviewed by Don Cox, Chief Information Security Officer at MEDNAX, and Abbas Kudrati, Chief Cyber Security Officer at Microsoft