5.8.1. The Incident Response Process

💡 First Principle: Incident response follows a structured lifecycle. Each phase has specific actions and objectives. Skipping phases or performing them out of order leads to extended damage, lost evidence, and repeated incidents.

Preparation — the most important phase. Develop the IR plan, assemble the team, establish communication channels, deploy tools, and train personnel. Preparation happens before incidents occur. Without it, everything else fails.

Detection — identifying that an incident has occurred through monitoring tools, alerts, user reports, or threat intelligence. Speed of detection directly affects the scope of damage.

Analysis — determining the scope, impact, and nature of the incident. What systems are affected? What data is at risk? What attack technique was used? Analysis informs the containment strategy.

Containment — limiting the damage by isolating affected systems, blocking malicious traffic, and preventing lateral movement. Short-term containment (isolate the system) precedes long-term containment (apply temporary fixes while maintaining business operations).

Eradication — removing the root cause: malware removal, patching exploited vulnerabilities, closing compromised accounts, eliminating attacker persistence mechanisms.

Recovery — restoring systems to normal operation: re-imaging compromised systems, restoring from backups, validating system integrity, monitoring for re-infection.

Lessons learned / Post-incident review — analyzing what happened, what worked, what failed, and what needs to change. Documents findings in a report and updates the IR plan, detection rules, and training. Without this phase, the organization repeats the same mistakes.

Loading diagram...

⚠️ Exam Trap: The exam uses the NIST incident response lifecycle. Preparation comes first. Lessons learned comes last and feeds back into preparation. If a question asks "what should be done FIRST after a breach is discovered?" — it's detection and analysis (assessing the scope), NOT containment. You need to understand the incident before you can contain it effectively.