Cyber Security Blog

What are the 6 Phases in a Cyber Incident Response Plan?

Written by Aditi Uberoi | 6 May 2021

A Cyber Incident Response Plan is a straightforward document that tells IT & cybersecurity professionals what to do in case of a security incident like a data breach or a leak of sensitive information. cyber incident response plan has 6 phases, namely, Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned. 

Any organisation that is serious about its cybersecurity requires a solid cyber incident response plan. This plan should also be regularly updated based on research, experience and incident response training.  

But how do you go about creating this plan and what are the six phases of an incident response plan that experts seem to be talking of? In this blog, we seek to answer these important questions to help you create an effective response strategy against cyber attacks and security risks. 

A cyber incident response plan should be created under the assumption that your business will be attacked by cyber criminals sooner or later. 

The plan should be short, crisp and precise. This way the stakeholders can make decisions and take the steps specified quickly. It should be free of complicated jargon. Lastly, it should be focussed on your business’s specific computer systems and networks. 

You can take a look at our blog on the essential components of a cyber incident response plan for more details. You can also download our FREE Cyber Incident Response Plan Template to create your own incident response plan. 

 

Moving on to the six incident response phases, here is a quick look at them. We’ve used the Computer Security Incident Handling Guide created by NIST (National Institute of Standards and Technology, USA) as the basis for these phases in Incident Response Planning: 

1. Prepare: This incident response phase is all about getting ready for dealing with a cyber security event. In this phase, you have to align the organisational policies on personal information and sensitive data protection and network security goals with the technology infrastructure of the organisation.

In this phase of incident response planning, you have to ensure that all employees have a certain degree of awareness about cybersecurity and a basic level of incident response training in dealing with a cyber crisis. Everyone also has to be aware of their roles and responsibilities in case of a cyber event. 

Identifying critical assets and crown jewels and conducting incident response testing also form an integral part of this incident response phase. You can get an external auditor to conduct a detailed assessment of your organisational breach readiness maturity or even a quick one-day check of your overall compliance and incident response capabilities.      

2. Identify: This phase in incident response planning, as the name suggests, is about identifying if you’ve been breached or if any of your systems have been compromised. In case a breach is indeed discovered, as per this phase of the NIST Cybersecurity Framework, you should focus on answering questions such as:

- Who discovered the breach?
- What is the extent of the breach?
- Is it affecting operations? 
- What could be the source of the compromise etc. 

It is also important to document everything in this phase.  

3. Contain: This incident response phase involves everything you can do to mitigate damage once you’re already under a cyber-attack.

In this phase of the incident response plan, you need to consider what can be done to contain the effects of the breach. Which systems can be taken offline? Can and should anything be deleted safely? What is the short term strategy? What is the long term strategy to deal with the effects of the attack? All of these questions need to be answered in phase 3 of the cyber incident response plan. 

This phase should also cover critical steps such as reviewing backups, privileged access credentials and checking if all relevant security updates have been applied. 

4. Eradicate: Phase 4 of the cyber incident response plan is all about understanding what caused the breach in the first place and dealing with it in real time. The incident response process in this phase will involve patching vulnerabilities in the system, removing malicious software, updating old software versions etc. 

Basically this phase involves doing whatever is required to ensure that all malicious content is wiped clean from your systems. Make sure, though, that this is done without losing precious data in the bargain. 

In this day and age, anybody can be attacked. But if you continue to let any traces of malicious software or security problems fester in your system, the damage to your public reputation can be immense. Your legal liability could amplify as well. 

5. Recover: As the name suggests, this phase of the incident response plan is concerned with getting the affected systems back online after an attack or an incident. Of course, this will depend on whether the gaps in the systems have been patched up and how your business will ensure that these systems are not breached again. 

This phase of the cyber incident response plan is critical because it tests, monitors and verifies the affected systems. Without proper recovery, it would be very difficult to avoid another similar incident in the future. That, as we know, can prove to be disastrous for business operations and for the organisation’s public image.  In order to ensure that recovery from a cyber incident takes place in a structured way, it is worth taking the time to create flowcharts online that go over each of the steps you intend to take. You can use this same strategy to outline each of the other phases as well.

6. Lessons Learned: We might go out on a limb and say that this is one of the most important phases in the incident response plan. Yes, everyone can and will get breached. However, it is how we deal with the breach and what we learn from it that makes all the difference. 

In the phase, it is vital to gather all members of the Incident Response team together and discuss what happened. It’s like a retrospective on the attack. This phase has to be carried out no later than 2 weeks after the incident. In this phase, you will go back to the documentation created in phase 2. You can evaluate what happened, why it happened and what was done to contain the situation. 

But most importantly, in this phase, the business must discuss if something could have been done differently. Were there any gaps in the incident response plan? Was there a department or stakeholder who could have responded faster or differently? 

This phase is all about learning from the attack in order to ensure that it doesn't happen again and if it does, the situation is handled even better.    

To know more about how you can prepare your employees better for a cyber-attack, check out our NCSC-Certified Cyber Incident Planning & Response Course.  

If you would like to test your cyber incident response plans for effectiveness, check out our scenario-based cyber tabletop exercises.