The 5 phases of a cyber incident response plan

From banks to transport companies and everything in between, if your organisation uses data (and which business doesn’t), you’re at risk of a cybersecurity incident. These can be anything from ransomware and phishing attacks to disgruntled employees who steal data or use backdoors to infect a network with malicious software.

Unfortunately, with businesses so reliant on technology and data to operate, it’s no longer a case of ‘if’ you will experience a cybersecurity breach, but when… and more importantly, what happens when you do.

Will your business be able to get rapidly back online and operational with a full review of what went wrong to track the culprits and protect your organisation’s reputation, or will your management team and security team be scrambling to understand what happened and respond appropriately? In our experience, most IT teams are inexperienced in identifying the Point of Compromise (POC) when a breach occurs. This is because it’s not their area of expertise, and nor should it be. Troubleshooting daily IT issues and optimising a network do not require the same skill sets as the forensics associated with cybercrimes and data breaches.

The reality is that without a plan in place, when a breach does occur, businesses are prone to making expensive mistakes, not to mention the fact that when an organisation experiences a significant breach, an external investigation or audit will follow.

It’s therefore critical to have a cybersecurity incident response (IR) plan in place so that your team knows exactly what to do when the unthinkable occurs. This plan should be specific and actionable, detailing who should do what and when. We would also recommend partnering with incident response experts in this field before an incident occurs – this ensures that everyone is aware of your IR plan and there is no scrambling to bring someone onboard and sign SLAs and confidentiality agreements when every second counts.

How to create an incident response plan

Here are the key components of an incident response plan. The objective of an IR plan is to set up a series of five phases that must be followed to address a suspected data breach. The first phase takes place before a breach occurs, and the remaining four are during and after the breach.

The incident response phases are:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery


  1. Preparation

Without this phase, the rest of your plan will be useless because no one will know what it is or what they should be doing. In this phase, you are training your employees on their roles and responsibilities in the event of a cybersecurity incident.

This is not a once-off deployment. It’s important to regularly test and review your IR plan and to run mock drills to ensure everyone is responding appropriately. Ongoing training is also important. The more prepared your employees are, the less likely they’ll make critical mistakes.

Questions to ask:

Has every employee been trained on security policies?

Has the IR plan been approved by management and developed with incident response experts?

Does everyone know their roles and responsibilities?

Have we tested the plan thoroughly?

Has everyone participated in a mock drill?

  1. Identification

The ability to identify whether or not you’ve been breached is paramount. There are many different Points of Compromise (POC) to consider, but more importantly, you need to be able to recognise that a breach has occurred in the first place – without this step, a cybercriminal could infiltrate your entire network.

Questions to ask:

When did the incident happen?

What alerted us to the breach?

Who discovered that a breach had occurred?

What is the POC?

Which areas in our network have been impacted?

How have our operations been impacted?

  1. Containment

Unfortunately, when a breach is first discovered, the initial instinct of most IT teams is to immediately close the breach and delete any suspicious files. The problem is that this not only destroys valuable evidence, but it also drastically reduces the chances of determining who infiltrated the system, how they did it, and whether or not they’ve left a backdoor open or there are other vulnerabilities that they (or other cybercriminals) can exploit.

Instead, it’s critical to contain the breach so that it doesn’t cause further damage to your business without deleting it. Affected devices should be disconnected from the Internet and a redundant system back-up should be in place to quickly restore business operations.

Questions to ask:

What is our short-term breach protocol? Has it been followed?

What is our long-term breach protocol? Has it been followed?

Has malware been confined from the rest of the network?

Have we implemented our backups?

Are our security patches up to date?

  1. Eradication

Containment is naturally followed by eradication, but only once the breach has been forensically investigated and you have all the information you need to take the matter to court (if necessary) and ensure that no subsequent breaches will take place through similar vulnerabilities. Once this is in hand, you can eliminate the root cause of the breach. Be thorough. Any trace of malware can result in additional data being lost, a subsequent breach and increased liabilities.

Questions to ask:

Have artifacts/malware from the attacker been securely removed?

Has the system been hardened, patched, and updates applied?

Can the system be re-imaged?

  1. Recovery

Your business will not be fully operational until all systems and devices have been restored and are back on your (patched and secure) network.

Questions to ask:

Do we have trusted backups that were unaffected by the breach?

How quickly can we return to business as usual?

Have all systems been patched, hardened and tested?

Have all passwords been reviewed and reset?

Do we have multi-factor authentication in place?

How has this experience impacted our IR plan going forward?

Next steps

One of the key components of an IR plan is that all breaches are not just closed and suspicious software deleted, but the entire incident is forensically investigated. This ensures that the incident is analysed and documented, which gives your business and response team the tools and insights to address future vulnerabilities.

How Cyanre can help

Our team of experts at Cyanre is standing by to play a strategic and hands-on role to lead you through the process and secure your business. Connect with us at today.