Incident Response

Incident response (IR) is the organised approach to detecting, containing, eradicating, and recovering from network security incidents. No matter how strong your preventive controls are, breaches will occur. The quality of your incident response determines whether an incident is a minor disruption or a catastrophic failure.

---

What is a Security Incident?

A security incident is any event that compromises the confidentiality, integrity, or availability of information assets. Not every security event is an incident — but every incident starts as an event.

Term	Definition
Event	Any observable occurrence in a system or network
Alert	An event flagged by a security tool as potentially malicious
Incident	A confirmed violation of security policy or a breach

Incident Severity Levels

Level	Description	Example	Response Time
P1 — Critical	Active breach with system-wide impact	Ransomware spreading across the network	Immediate (< 15 min)
P2 — High	Confirmed compromise with limited scope	Single server compromised, no lateral movement	< 1 hour
P3 — Medium	Suspicious activity requiring investigation	Unusual outbound traffic from a server	< 4 hours
P4 — Low	Minor policy violation or anomaly	Failed login attempts from unknown IP	< 24 hours

---

Incident Response Frameworks

NIST SP 800-61 (Computer Security Incident Handling Guide)

The NIST framework defines four phases:

┌──────────────┐     ┌───────────────────┐     ┌─────────────────────────────┐     ┌─────────────────────┐
│  Preparation │────▶│ Detection &       │────▶│ Containment, Eradication    │────▶│ Post-Incident       │
│              │     │ Analysis          │     │ & Recovery                  │     │ Activity            │
└──────────────┘     └───────────────────┘     └─────────────────────────────┘     └─────────────────────┘
       ▲                                                                                    │
       └────────────────────────────── Lessons Learned ─────────────────────────────────────┘

SANS Incident Response Process

The SANS framework uses six phases:

Phase	Activities
1. Preparation	Policies, tools, training, communication plans
2. Identification	Detect and confirm the incident
3. Containment	Limit the damage — short-term and long-term
4. Eradication	Remove the root cause — malware, backdoors, vulnerabilities
5. Recovery	Restore systems to normal operations
6. Lessons Learned	Document findings and improve processes

---

Phase 1: Preparation

Preparation is the most critical phase — it determines how effective your response will be when an incident occurs.

Key Preparation Activities

Activity	Description
Incident Response Plan (IRP)	Documented procedures for handling incidents
IR Team (CSIRT)	Defined roles and responsibilities
Communication Plan	Who to notify internally and externally
Tool Readiness	SIEM, EDR, forensic tools, isolation capabilities
Playbooks	Step-by-step response procedures for common incident types
Tabletop Exercises	Simulated scenarios to test the plan
Legal and Compliance	Pre-arranged contacts for legal counsel and regulatory bodies

Incident Response Team Roles

Role	Responsibility
Incident Commander	Leads the response, makes decisions, coordinates
Triage Analyst	Performs initial assessment and escalation
Forensic Analyst	Collects and preserves evidence, performs deep analysis
Network Analyst	Analyses network traffic, isolates segments
Communications Lead	Handles internal and external notifications
Legal Counsel	Advises on regulatory obligations and evidence handling
Management Sponsor	Authorises actions with business impact

---

Phase 2: Detection and Analysis

Detection Sources

Source	Detection Capability
SIEM	Correlated alerts from multiple log sources
IDS/IPS	Network-based threat detection
EDR	Endpoint-level process and file monitoring
Firewall Logs	Blocked and allowed connection analysis
DNS Logs	Tunnelling, DGA, and malicious domain queries
User Reports	Employees reporting suspicious emails or behaviour
Threat Intelligence	Matching IOCs against internal data

Analysis Activities

1. Validate the alert — confirm it is not a false positive
2. Determine scope — how many systems are affected?
3. Identify the attack vector — how did the attacker get in?
4. Assess impact — what data or systems are compromised?
5. Assign severity — P1/P2/P3/P4
6. Document everything — timestamps, actions taken, evidence collected

---

Phase 3: Containment

Containment prevents the incident from spreading further:

Short-Term Containment

Action	Purpose
Isolate affected systems	Remove from the network (disable port, VLAN change)
Block malicious IPs/domains	Update firewall and DNS filtering rules
Disable compromised accounts	Prevent further unauthorised access
Capture forensic images	Preserve evidence before changes are made

Long-Term Containment