6 Phases of Incident Response

6 Phases of Incident Response

An incident can include almost any unusual event on a network. This means just about anything, from discovering malware to identifying suspicious user activity. So how do you know when it’s time to implement a full incident response plan? The correct answer is that it’s always time to implement your incident response plan.

However, many businesses have no clue what to include in their incident response plan or even have a plan in place. This a common trend that we see because many companies still operate under the assumption that an incident won’t happen to them. Unfortunately, that isn’t the case anymore. Every business should be prepared; that is why we are sharing 6 phases that every incident response plan should include.

Incident Response Phases

An incident response plan is usually broken down into six phases: preparation, identification, containment, eradication, recovery, and lessons learned.

  1. Preparation

Preparation is ensuring that you have a trained incident response team, whether that is internal or external, with a managed service provider.

  1. Identification

This phase is the investigation of if a compromised occurred. If one did, then determine the depth of the compromise, its source, and its success or failure. This is mostly determined by log review.

It’s important to note that during the investigation, the goal is not to disrupt any potential evidence of the incident. This is where a well-trained response team can be the difference between successful remediation or a repeat-incident.  The team will be able to effectively know how to review log files while not damaging any evidence in the process.

  1. Containment

After the incident is identified and located, the damaged system will need to be removed from production, isolate the devices, and lock down the compromised accounts.

  1. Eradication

The removal and remediation of any damage discovered will need to take place by restoring systems from backup and re-imaging workstation systems. This phase should be done by trained professionals and should only be done after a comprehensive investigation into the incident is completed. We have seen too many times where a business is too quick to delete and restore before they’ve learned how the attacker got in or full extend of the damage. Therefore, the organization has no way of going back to determine what happened and are often hit by the same type of attack again.

  1. Recovery

Recovery is the testing of the remedies made during the eradication phase and the transition back to normal operations. Vulnerabilities are remediated, compromised accounts have been securely updated, and functionality is tested. The business can resume their daily operations.

  1. Lessons Learned

The last phase is the one that many organizations skip, but it is the most important to prevent future incidents. This phase involves reviewing the steps that were taken during your response plan and seeing if any security improvements are required. If a business rushes to get back to normal business without considering the implications of what caused the security incident, you may find yourself in the same position again.

Trained cybersecurity professionals best perform incident responses, that is where our team can step in. Let our skilled technicians help build an effective response plan with these 6 phases, educate your employees on what to do, and help remedy the incident for you. Contact us to see how we can implement this for business, because it’s not if an incident will happen, but when.

Network and Systems Engineering

Reduce cost and mitigate technology risk within your infrastructure.

Show me a better solution.

Backup and Disaster Recovery

Keep your business running smoothly through every technology disaster.

Make my system safe.


Move your business into the next level of telephone system services.

Upgrade my business communications.