The 6 Steps of a Good Incident Response Plan

by | Sep 12, 2023

When it comes to cybersecurity, it’s a matter of when not if a cyber threat targets your business. Every industry is impacted, with healthcare alone seeing a 74% increase in weekly attacks compared to 2021. Not every type of risk is obvious, either. Whether it’s a subtle phishing attemptdata breach, or even a fake invoice scam, organizations can be hit in many directions by increasingly complex attacks. That’s why a good incident response plan is important in any business strategy, as it allows staff to be better prepared.

What Is an Incident Response Plan?

An Incident Response Plan is a set of instructions detailing how to detect, respond to, and recover from a cybersecurity incident. The National Institute of Standards and Technology (NIST) outlines some core guidelines for handling threats. These plans are often divided into six steps: preparation, identification, containment, eradication, recovery, and lessons learned. Each one serves a purpose and contributes towards a fast and effective response to security incidents.

Why Incident Response Plans Are Good for Businesses

Incident response plans are essential guides that help businesses quickly and effectively deal with cybersecurity threats. Yet, as many as 76% of incident response plans aren’t consistently applied across the whole organization. Following a well-defined plan means companies can act fast, reducing the impact at every level. Steps focused on resolving the issue and safely restoring systems also help to prevent the same problem from happening again.

Beyond just being a crisis roadmap, these plans offer helpful insights that can be invaluable for legal matters or spotting weak points in security measures. Continual updates based on past incidents mean a business constantly improves at dealing with new threats. It can also enhance cybersecurity awareness by keeping employees more informed, which keeps the company more secure.

Step 1: Preparation – Setting the Groundwork

The preparation phase is a key first step for any incident response strategy. This stage equips your Cyber Incident Response Team (CIRT) to act swiftly and effectively when incidents occur. Here are the key elements that are worth including.

Policy Development

A clear policy is a guideline for defining an incident and how to handle it. These expectations should be communicated to employees and can be used to set restrictions on how staff can use workplace technology. If an incident is caused by staff misuse, that can help provide legal protection to the business.

Response Plan & Strategy

Once the policies are set, developing a comprehensive response plan is next. That means prioritizing incidents based on the business impact potential. For example, a malfunctioning computer might be a minor incident, whereas a compromised server or a data breach involving sensitive information would be a significant issue. Since all businesses have limited resources, this helps use them effectively.

Communication Plan

Communication is key to IT, particularly during a crisis. A well-structured communication plan specifies who needs to be contacted, how to reach them, and when. For example, if an e-commerce platform goes offline during peak shopping hours, a preset list of individuals with the necessary expertise should be immediately notified. A flawed or non-existent communication plan could result in delays and misdirection of resources.


Proper documentation is valuable both for legal and operational reasons. Whether for gathering evidence in criminal cases or for internal reviews, the response team must document every action taken during an incident. That should cover each step’s who, what, when, where, why, and how. The use of checklists with timestamps can make this easier.

Building a CIRT

A well-rounded computer incident response team (CIRT) should have individuals from various backgrounds. That can include legal experts, HR personnel, public relations officers, and specialized IT staff. Each member brings a unique skill set, providing a comprehensive approach to incident management.

Access Control

Ensure that CIRT members have access permissions to perform their roles effectively. For instance, a systems administrator might need to adjust user permissions during an incident. The response team should change these back once the incident is resolved.

Tools and Resources

The CIRT should have an IT “jump bag” containing all necessary tools for incident handling. That ranges from anti-malware software and packet sniffers to physical tools like screwdrivers. Preparedness on this front can speed up the response process.

Training and Drills

Regular training sessions and drills are essential to keep the team updated and ready. These exercises provide an opportunity to test the response strategy’s effectiveness and improve upon it.

The preparation phase is not just a preliminary step but an ongoing process. A well-prepared team, backed by policies, plans, and resources, is the best defense for responding to incidents.

Step 2: Identification – Recognizing the Signs of an Incident

The Identification phase is crucial for discerning if an abnormality in your system or network is an isolated event or a full-blown incident. Here, the goal is to collect enough data to decide whether escalated action is required.

Event Gathering from Multiple Sources

Data collection is at the heart of the identification process. A variety of data sources should be monitored, including but not limited to:

  • Log Files: Server, application, and security logs can provide clues.
  • Error Messages: Unusual or unexpected errors can be telltale signs.
  • Intrusion Detection Systems (IDS): These systems flag suspicious activities.
  • Firewalls: Monitor traffic logs for any unusual patterns or blocked activities.

Coordination and Communication

Once an abnormality is detected and considered an incident, swift communication between the CIRT and other key personnel is essential. At least two incident handlers should be involved, one leading the identification and assessment and the other collecting evidence. This dual approach ensures both focus and breadth in dealing with the incident.


As with the preparation phase, documentation is critical. The response team should record every action taken throughout the process. That ensures an accurate record of what happened if there are future legal issues or the event needs to be reviewed.

Determining the Scope

The identification phase also lays the groundwork for the next steps by discovering the scale of the incident. Whether it impacts a single work or an entire network of users can greatly change the response needed. Over or underreacting could lead to additional problems.

Real-world Scenarios for Identification

Here are some examples showing incidents that can start the identification phase:

  • An employee receives a phishing email that closely mimics internal company communications.
  • A user contacts the IT help desk, reporting an unusual issue with their device.
  • High system resource consumption occurs without explanation, affecting performance across different applications.
  • Security monitoring tools flag multiple failed login attempts from various locations quickly.
  • Unusual access patterns during off-hours raise alarms, such as numerous file downloads or configuration changes.

Keeping an open mind about how an incident can appear is essential. Sometimes, a minor factor can signify a much bigger problem. The identification phase is about spotting an incident and understanding its scale and the required response. Proper identification helps set the stage for the next steps in the incident response strategy.

Step 3: Containment – Stopping the Spread of the Incident

The containment step in the incident response plan can help limit the damage and prevent it from spreading further. It involves several steps to help mitigate the issue and preserve any evidence that might be needed for later analysis.

Short-Term Containment

The initial focus is on short-term containment. This step aims to limit the impact of the incident. For example, in a ransomware attack where encrypted files rapidly spread through the network, the IT team might immediately disable network shares and temporarily revoke permissions. It’s important to note that these are not long-term solutions but emergency measures to slow the problem.

System Back-Up and Forensic Imaging

Before initiating any system recovery or data deletion, backing up affected systems using software like Forensic Tool Kit (FTK) is vital. These specialized tools capture the system’s state during the incident, preserving crucial evidence. That data can be invaluable, whether for legal proceedings in cases of criminal activity or for reviewing what can be learned from the incident.

Long-Term Containment

The final step before moving on to the next phase is long-term containment. In this stage, the focus shifts to more sustainable solutions to allow business operations to continue while limiting further security risks. Actions might include:

  • Updating server configurations for enhanced security.
  • Refining firewall rules.
  • Revising user roles and permissions.
  • Conducting targeted cybersecurity training.
  • Enabling multi-factor authentication.

Step 4: Eradication – Removing the Root Cause

Eradication is the next phase in the response process, focusing on eliminating the cause of the problem. The steps taken here are geared towards preventing a repeat of the issue. This phase has its own actions and protocols. Documentation can help understand the overall impact and ensure proper procedures.

Forensic Back-Up Revisited

Recall that during the containment phase, forensic back-ups can be made of the affected systems using specialized tools like the Forensic Tool Kit (FTK). That was done to preserve evidence and understand how the systems were compromised. Before moving forward with eradication, revisiting forensic data can provide insights into the source of the issue, thereby aiding in its removal.

System Reimaging

The most straightforward and often effective erasure method is reimaging the affected system’s hard drives. This process eliminates any compromised files or malicious software, offering a clean slate. This step usually involves restoring systems using original disk images created before their deployment into production.

Patching and Hardening Systems

Once the systems are restored, the next logical step is to apply patches to fix any exploits. That could also be an excellent opportunity to turn off unused services to further harden the system against future attacks. Failing to perform these updates can leave systems susceptible to the same type of issues in the future.

Malware and Registry Scans

We always recommend additional scans on the restored systems using anti-malware software to double-check for hidden threats. Combining anti-virus programs like SentinelOne with tools that can clean and scan system registries, such as CCleaner, can help identify and remove any lingering threats that could reappear.

Continuous Documentation

Like other steps, incident response teams should keep track of everything they do. That serves multiple purposes, such as determining resource costs, ensuring the problem is fully removed, and contributing to the lessons learned phase later in the process.

The eradication step is not merely about applying a quick fix. Instead, it involves a core set of actions to remove the problem and protect systems against repeat incidents.

Step 5: Recovery – Restoring and Validating Systems

The recovery step of an incident response plan serves as a bridge from the crisis to getting things back to normal. The goal is to do this process carefully and thoughtfully while preventing any chance of a repeat incident. Below are some of the key elements of this phase.

Decision on Time and Date for Restoration

The timing of restoring operations is a strategic decision that teams must carefully coordinate. System operators or owners, often in consultation with the CIRT, should decide based on assessments and validations of system health and security.

Testing and Verification

Before reintegration, testing the affected systems to confirm they are clean and fully operational is important. Multiple layers of verification can be employed, including stress tests and security audits, to ensure the system’s integrity and readiness for reintegration into the production environment.

Continuous Monitoring

After reintegrating impacted systems and users, active monitoring is essential in this phase. A planned duration should be set to watch for abnormal behaviors that might indicate lingering issues. The time could range from days to weeks, depending on the complexity and the severity of the initial incident.

Tool Selection

Teams must choose the tools used for testing, monitoring, and validation wisely. These may include network monitoring tools, intrusion detection systems, and additional layers of security software. The selected ones should be capable of capturing relevant data for ongoing analysis.

Secondary Checks

Having additional checks as part of the process can help ensure that no issue sneaks through the prior layers of testing. If something is detected, the right team members can be informed right away so they can take action more quickly.

The objective of the recovery phase is to get things back to normal in a sustainable and secure way. Thoroughness in this stage plays a central role in preventing the recurrence of the same problems that led to the original incident. Hence, this phase is as much about future-proofing as it is about immediate resolution.

Step 6: Lessons Learned – Improving for the Future

The lessons learned step is the easiest to undervalue but is no less important than the rest of the process. Its primary aim is to take the experience, knowledge, and insights from handling the incident to improve preparedness and efficiency. This phase closes the incident response plan and lays the groundwork for more effective strategies. In turn, future threats are easier to prepare for.

Documentation and Incident Report

Documentation is still essential even this late in the process. Any incomplete records from earlier stages should be finalized, along with new findings or insights. The result is a detailed incident report that addresses key questions like who was involved, what happened, where it occurred, why it took place, and how it was resolved. This report is an invaluable historical record, benchmark, and training resource.

Timing and Format of the Lessons Learned Meeting

The meeting should ideally be scheduled within two weeks post-incident. This timeframe ensures that memories are fresh and critical details are less likely to be forgotten. The discussion should be focused and often results in an executive summary of the incident. 

Key Points for Discussion

A well-structured presentation can guide the lessons learned meeting effectively. Talking points can include:

Initial Alerts: Who was the first to raise the alarm, and at what time? 

Impact Assessment: What was the reach and gravity of the incident? 

Mitigation Strategies: What techniques were employed to limit the damage? 

System Recovery: What was required to reinstate normal operations? 

Effective Responses: Which elements of the crisis management were handled exceptionally well? 

Resource Allocation: Were the right tools and personnel deployed effectively?

Learning Opportunities: What hurdles were encountered, and how can they serve as a learning experience for future incidents? 

Open Dialogue and Team Enhancement

The final phase of the meeting should be dedicated to open discussion and brainstorming. Team members should feel free to share their perspectives, critiques, and ideas for betterment. This interactive session allows the team to tap into collective wisdom, thus contributing to continuous improvement.

Overall, the lessons learned phase looks at both the shortcomings and strengths of the organization’s incident response strategy. Investing time into this phase can enhance a team’s preparedness and performance for inevitable future incidents.

Maximizing the Impact of Your Incident Response Plan

We’ve explored the key six steps of a good incident response plan, from initial setup to what can be learned following an event. Each phase has a clear goal of streamlining responses, mitigating risk, and fortifying against future threats. Considering that 32% of cybersecurity intrusions impacted both IT departments and operations, businesses can be vulnerable at every level. That’s why consistent updates and team training can also majorly impact a response plan’s effectiveness.

Developing a good incident response plan reduces downtime and financial loss while preserving customer trust, a valuable but understated factor. What’s more, it’s not just about reacting to problems. It’s a proactive tool that readies your team for future challenges. In short, it’s not just a luxury but a critical investment to help protect any business with a strong digital presence.

Does your business need outsourced IT services or help developing an effective incident response plan? Reach out to one of our consultants via our contact form or call us at +1 (800) 297-8293

Get IT Support