>Six Phases of Incident Response

Cybersecurity is a field that is important to pretty much every industry. A good cybersecurity system can help businesses stay safe from cybercrimes such as phishing attacks, malware attacks, and ransomware. Any organization that is serious about its cybersecurity should start with a good incident response plan. A cyber incident response plan tell a company’s IT & security professionals what to do in case of a cyber security incident like a data breach. A solid incident response generally consists of six phases: preparation, identification, containment, eradication, recovery, and lessons learned.


Preparation is all about the events leading up to a cyber attack. In this phase, the company should ensure that all employees have a certain degree of awareness about cybersecurity and knowledge of basic incident response techniques to deal with a cyber crisis.


Identification is about identifying a breach and if any other systems have been compromised. The NIST Cybersecurity Framework suggests that you focus on answering questions such as:

  • Who discovered the breach?
  • What is the extent of the breach?
  • Is it affecting operations?
  • What could be the source of the compromise?

It is important that everything is documented in this phase.


Containment involves everything a company can do to mitigate damage once there is already a cyber crisis. The company should consider the following:

  • Which systems can be taken offline?
  • Can anything be deleted safely? Should it be deleted?
  • What is the short and long term strategy in dealing with the effects of the attack?

Backups should be reviewed along with checking if all relevant security updates have been applied.


Eradication is not just about dealing with the threat in real time, but understanding what caused the breach in the first place. This will involve patching vulnerabilities in the system, removing any malicious software, updating old software, etc.

This is done to ensure that all malicious content is wiped clean from the compromised system, and if done properly, without losing important data in the process.


Recovery is all about getting the compromised systems back online after the incident. This phases is important as it tests, monitors, and verifies the affected systems and prevents similar incidents in the future.

Lessons Learned

This is perhaps the most important phase of the incident response plan where the company should assess what it can learn from the incident. The incident response team should meet no later that two weeks after the attack and discuss it. This is where the documentation in the identification phase comes into play. The team can look into the root of the breach and figure out how to prevent similar attacks in the future.

It is all about learning from your mistakes in order to ensure that they do not happen again, and god forbid they do, they can be handled better.

Leave a Comment