Date: 17 March 2025
A Cyber Incident Response Plan is a straightforward document that tells IT & cybersecurity professionals what to do in case of a security incident like a data breach or a leak of sensitive information. cyber incident response plan has 6 phases, namely, Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned.
Any organisation that is serious about its cybersecurity must prioritise the development and maintenance of a robust cyber incident response plan. This plan serves as a critical framework for effectively managing and mitigating the impact of cyber threats and attacks.
A cyber incident response plan should be created under the assumption that your business will be attacked by cyber criminals sooner or later.
The plan should be short, crisp and precise. This way the stakeholders can make decisions and take the steps specified quickly. It should be free of complicated jargon. Lastly, it should be focussed on your business’s specific IT infrastructure, critical assets and its specific threat context.
It is essential that the cyber incident response plan is not only comprehensive but also dynamic. This means that it should be regularly tested with cyber tabletop exercises and updated based on the results of the exercise. It should also be regularly refined to match the current cyber threat landscape.
By continuously evolving and adapting the cyber incident response plan, you can enhance your organisational resilience against cyber threats and safeguard critical assets and information.
But how do you go about creating this plan and what are the six phases of an incident response plan that experts always seem to be talking of? In this blog, we will answer these important questions to help you create an effective response strategy against cyber attacks and security risks.
As we delve into the six crucial phases of an incident response plan, it is essential to understand the framework that guides these steps. These phases are meticulously outlined in the Computer Security Incident Handling Guide, a comprehensive document developed by the National Institute of Standards and Technology (NIST) in the USA.
This guide serves as a foundational resource for establishing a robust incident response strategy. By adhering to the principles and methodologies set forth by NIST, you can effectively prepare for, respond to, and recover from cyber incidents. Let’s explore each phase in detail to understand how they collectively contribute to a resilient cybersecurity posture.
1. Prepare: This incident response phase is fundamentally focused on preparing your organisation to effectively handle a cybersecurity event. During this phase, it is crucial to establish a comprehensive framework that aligns the organisation's policies on personal information and sensitive data protection with its overarching network security goals. This involves a thorough assessment and integration of these policies with the existing technology infrastructure of your business.
The preparation phase also includes the development of clear protocols and guidelines that dictate how to manage and protect sensitive data, ensuring that all employees are aware of their roles and responsibilities in maintaining cybersecurity. Additionally, this phase may involve conducting regular cyber incident response training sessions and cyber attack simulation exercises to ensure that everyone is well-prepared to act swiftly and effectively in the event of a cyber incident.
2. Identify: This phase in incident response planning, as the name suggests, is about identifying if you’ve been breached or if any of your systems have been compromised. In case a breach is indeed discovered, as per this phase of the NIST Cybersecurity Framework, you should focus on answering questions such as:
- Who discovered the breach?
- What is the extent of the breach?
- Is it affecting operations?
- What could be the source of the compromise etc.
In the Identify phase, you must assess your assets, risks, and security controls to establish a baseline for normal activity. This phase involves continuous monitoring, threat intelligence, and risk assessment to proactively detect anomalies. Effective identification helps minimise response time and mitigate potential damage from cyber threats. It is also important to document everything in this phase.
3. Contain: The 'Contain' phase of incident response involves everything you can do to mitigate damage once you’re already under a cyber-attack. It is focussed on limiting the impact of a security breach
In this phase of the incident response plan, you need to consider what can be done to contain the effects of the breach. Which systems can be taken offline? Can and should anything be deleted safely? What is the short term strategy? What is the long term strategy to deal with the effects of the attack? All of these questions need to be answered in phase 3 of the cyber incident response plan.
The contain phase involves isolating affected systems, blocking malicious activity, and preventing further spread of the threat. Temporary and long-term containment strategies are implemented to stabilise operations while preparing for full recovery. Effective containment minimises damage and helps maintain business continuity.
This phase should also cover critical steps such as reviewing backups, privileged access credentials and checking if all relevant security updates have been applied.
4. Eradicate: The Eradicate phase of the cyber incident response plan is a critical stage that focuses on thoroughly understanding the root cause of the breach and addressing it promptly and effectively in real time.
The incident response process during this phase includes a series of meticulous actions such as:
- Patching vulnerabilities in the system to prevent further exploitation
- Removing any malicious software that may have been installed
- Updating old software versions to ensure they are fortified against known threats.
Moreover, this phase requires a detailed examination of the entire IT infrastructure to identify any other potential vulnerabilities that could be exploited in the future. It involves collaborating with cybersecurity experts to implement advanced security measures and protocols that can enhance the overall security posture of the organisation.
Essentially, this phase is about doing whatever is necessary to ensure that all traces of malicious content are completely eradicated from your systems. It is crucial to perform these actions with precision and care to avoid losing any valuable data in the process, as data integrity is paramount.
5. Recover: As the name suggests, this phase of the incident response plan is concerned with getting the affected systems back online after an attack or an incident. Of course, this will depend on whether the gaps in the systems have been patched up and how your business will ensure that these systems are not breached again.
This phase of the cyber incident response plan is critical because it tests, monitors and verifies the affected systems. Without proper recovery, it would be very difficult to avoid another similar incident in the future. That, as we know, can prove to be disastrous for business operations and for the organisation’s public image.
In order to ensure that recovery from a cyber incident takes place in a structured way, it is worth taking the time to create flowcharts online that go over each of the steps you intend to take. You can use this same strategy to outline each of the other phases as well.
6. Lessons Learned: We might go out on a limb and say that this is one of the most important phases in the incident response plan. Yes, everyone can and will get breached. However, it is how we deal with the breach and what we learn from it that makes all the difference.
In the phase, it is vital to gather all members of the Incident Response team together and discuss what happened. It’s like a retrospective on the attack. This phase has to be carried out no later than 2 weeks after the incident. In this phase, you will go back to the documentation created in phase 2. You can evaluate what happened, why it happened and what was done to contain the situation.
But most importantly, in this phase, the business must discuss if something could have been done differently. Were there any gaps in the incident response plan? Was there a department or stakeholder who could have responded faster or differently?
This phase is all about learning from the attack in order to ensure that it doesn't happen again and if it does, the situation is handled even better.
