As cyberattacks on small and mid-sized businesses become a frequent fact of life, the financial toll is rising quickly. The cost of a data breach for small businesses with less than 500 employees recently averaged almost $3 million, meaning even minor attacks can cost six figures.
Expect those costs to climb even higher, at a faster rate, as attacks on smaller companies pick up.
All indicators suggest the situation will worsen, making it essential for all companies, regardless of size, to take cybersecurity seriously and prioritize incident response.
This article outlines the seven proven steps and procedures in the incident response lifecycle, explains how to improve incident response procedures, and reveals a few shortcuts and computer security hacks.
Free Incident Response Policy
Skip the policy-writing hassle with our ready-to-use incident response policy template.
What Is Incident Response?
A security incident is any event that could, accidentally or intentionally, compromise the confidentiality, integrity, or accessibility of systems and/or data.
Preventing that from happening while limiting the damage, cost, and duration of incidents is the purpose of incident response.
The incident response lifecycle breaks key activities down into separate incident response phases, allowing for the optimization of each one while ensuring that incident response proceeds systematically toward recovery.
A closer look at each incident response step reveals how they work, individually and collectively, to empower (or inhibit) a company’s response.
Security Incident Response Steps & Procedures To Follow
Incident response is not one activity but many, each of which plays an equal and vital part in stopping incidents before they cause serious disruption, damage, or delay. Not only are the steps necessary for taking a comprehensive approach to incident response, but they also provide clarity and certainty during the chaos of a data breach or other security incident.
Incident response frameworks, from NIST or SANS, take slightly different approaches—but all agree on the basic best practices, which always include some version of these security incident response steps:
- Prepare For Threats
- Detect The Threat
- Analyze/Identify The Threat
- Contain The Threat
- Eliminate The Threat
- Recover And Restore
- Incident Debrief / Lessons Learned
Are you up to par on each step? Will your incident response plan succeed when it matters most?
We take a closer look at each of the incident response procedures in the following sections and highlight some questions you need to be asking before the next breach occurs.
Step 1: Prepare For Threats
The incident response lifecycle starts with planning and preparing for whatever incidents may occur. This phase takes more time and energy than any other, as preparation happens whenever an incident isn’t actively in progress.
With new attacks emerging all the time and the attack surface expanding as well, preparation for incident response must continually be expanding and evolving.
Preparation involves everything from making cybersecurity plans and policies to providing employees with training and education, reviewing computer security measures, running breach drills with incident response teams, and hunting for cyber vulnerabilities and exposures to mitigate.
Preparation is all about trying to prevent attacks proactively while simultaneously preparing to respond effectively at a moment’s notice.
Keeping the incident response plan aligned with the IT infrastructure and the threat landscape is the hardest part of the preparation phase in incident response. Make preparation a sustained and systematic effort endorsed by company leadership.
Self Assessment
- When was the last time you updated the incident response plan?
- What has changed since the last update or incident?
- Is the plan stored in a secure but accessible location?
- Has everyone been trained on cybersecurity, and when?
Phase 2: Detection And Analysis
Being able to detect any threat, even advanced and evasive threats, targeting any part of the attack surface, even new and unknown vectors, is the second phase in the incident response cycle.
Detection depends on seeing indicators of compromise, including signatures and anomalies, as early as possible, ideally before an intrusion occurs.
Effective detection requires visibility across the entire attack surface.
Just as important are robust 24/7/365 detection capabilities so that attacks can’t gain traction after hours, and effective alert filtering so that false alarms don’t overwhelm the incident response resources.
To match the speed, scale, and sophistication of today’s threats, detection increasingly relies on automation to correlate large volumes of cybersecurity signals and ensure consistent cyber vigilance at all times.
Without automation, handling so many signals from so many sources poses a significant challenge to lean on cybersecurity teams. It requires a high degree of integration and coordination, combined with planning and policies to prevent any lapse in visibility.
Self Assessment
- How fast can you detect threats?
- What kind of threats can you detect?
- Can you detect across the entire attack surface?
- Will detection scale with your IT infrastructure?
$35/MO PER DEVICE
Enterprise Security Built For Small Business
Defy your attackers with Defiance XDR™, a fully managed security solution delivered in one affordable subscription plan.
Step 3: Analyze/Identify The Threat
Any threat that gets detected needs to be analyzed as fully as possible to understand the type of threat, the tactics it may use, the targets it may seek, and the damage it may cause.
Containment and eradication are more effective with more information—and they suffer without it—emphasizing the importance of capturing, collecting, organizing, and analyzing security data as broadly as possible.
Always err on the side of more.
Event correlation, forensic analysis, and threat intelligence are all tools for analyzing cyber threats. Others like the security incident security matrix reveal which threats to prioritize based on their impact, helping incident response teams make efficient use of limited resources.
A combination of forensic tools, automation, and human experience produces more effective analysis in less time.
Just as important as the individual components, however, is the coordination and communication in between, which results from an incident response plan.
Tools and training have a large impact on the analysis phase, especially in small and mid-sized businesses with limited teams and tech stacks. What’s more, capability gaps often appear only after an incident breaks out unless teams take time to prepare in advance.
Self Assessment
- How will you analyze unknown threats?
- Can you analyze vulnerabilities and exploits?
- How long does analysis take?
- Have blind spots ever occurred?
Step 4: Contain The Threat
Many security threats can be contained before they cause a breach or any meaningful damage—but only provided that incident response can move fast enough to get in front of threats, has the intelligence to stop their forward progress, and has adequate containment tools.
You also need constant convergence so that containment doesn’t have to wait until someone arrives at the office in the morning.
Limiting damage by shutting down systems or isolating networks is another function of the containment phase. Incident response teams must balance the damage of compromising business operations against the danger of corrupted IT and act accordingly.
They also need to balance a fast pace with a thorough process to mitigate the lingering effects of sophisticated attacks. Many incident response plans include separate containment “playbooks” for different types of cyber threats—eg. phishing, malware, ransomware.
Where containment gets difficult is needing to make high-stakes decisions in a high-pressure environment. Incident response teams need to feel confident they can understand threats quickly and accurately enough to get those decisions right, without delay or exception.
Self Assessment
- Can you contain any threat you encounter?
- How long does containment usually take?
- Can you maintain business continuity during containment?
- Can all systems be isolated during an incident?
Step 5: Eliminate The Threat
Perhaps the most high stakes of the security incident response phases, eradication is when you systemically remove all traces of the attack.
Until eradication is complete and confirmed, a threat could still cause damage, making it important to work thoroughly from the point of quarantine back to the point of intrusion, examining all systems that could have been affected.
Systematic eradication helps to eliminate any hidden malware or traps the attack may have left behind.
It’s also important for forensic purposes; tracing the path of the attack reveals which vulnerabilities it exploited and what policies and protections need to change the next time the incident response lifecycle begins again at the preparation phase.
The part of eradication that security teams struggle with, even security teams and large enterprises, is fully understanding the root cause of the incident. Without that, it’s difficult or impossible to keep those causes from enabling another incident.
Self Assessment
- How quickly does eradication occur?
- Are you confident everything has been removed?
- Have you ever needed assistance with eradication?
- Has eradication ever delayed recovery?
Step 6: Recover And Restore
Recovery comes sixth in the incident response lifecycle because getting back to square one can only happen once the incident is over.
Administrators will restore systems to normal operations using things like data backups and recovery points, then confirm there are no lingering security or performance issues.
Larger incidents may require a phased recovery, where administrators bring systems back online based on the highest priorities or the eradication order.
Heightened cybersecurity is especially important during recovery since hackers often pick recent victims as their next target to breach since they have known weaknesses.
Many incident response plans neglect the recovery phase, assuming it will be straightforward when, actually, every recovery looks different. Ensure the security teams are equipped to recover everything efficiently without causing unintended consequences in the process.
Self Assessment
- Do you have clean backups of everything?
- What is your backup strategy?
- How quickly can you restore systems?
- Has recovery been successful after every breach?
Step 7: Incident Debrief / Lessons Learned
Every incident is a learning process, and afterward, something can always be changed or improved to prevent a repeat incident.
The final phase of the incident response procedures starts with reviewing exactly what happened from the attack’s first appearance through each phase of the incident response lifecycle.
Establish the timeline, key events, exploited vulnerabilities, and damaged assets, documenting everything thoroughly. Then establish what went right and wrong, both through outside analysis and by interviewing those involved.
Turn those observations into actionable plans for improving incident response—by adding tools, changing tactics, improving training, or enlisting partners.
More than just preventing a repeat incident, the goal of the final phase is to improve incident response overall and make cybersecurity better equipped against whatever comes next.
Keep this phase productive by defining roles and responsibilities for the team, along with goals and deadlines. Above all, be objective, and keep bias and emotion from affecting the analysis. Ground the process in learning and improvement rather than blame and guilt.
Self Assessment
- Who is involved in this phase?
- Do incidents always prompt reflection?
- Have previous lessons led to improvements?
- Does incident response have any persistent problems?
Free Security Policy Templates
Get a step ahead of your cybersecurity goals with our comprehensive templates.
Start With A Security Risk Assessment
A security risk assessment is a systematic process that identifies, evaluates, and prioritizes potential vulnerabilities across your information assets, including systems, hardware, applications, and data.
It provides decision-makers with actionable intelligence about system vulnerabilities, enabling proactive defensive measures and effective risk responses.
Before developing an incident response plan, you should conduct a thorough security risk assessment to establish your security baseline and identify your most critical assets and vulnerabilities.
This knowledge is essential for creating an effective incident response plan that aligns with your actual security needs rather than perceived ones.
The assessment helps you understand where to focus your incident response resources and how to prioritize different types of incidents based on their potential impact on your specific environment.
Having an experienced virtual Chief Information Security Officer (vCISO) guide your risk assessment process can significantly enhance the return on investment of your security initiatives.
A vCISO brings deep expertise in identifying and evaluating complex security risks, ensuring that your assessment follows industry best practices and compliance requirements.
They can help prioritize remediation efforts based on your organization’s unique risk profile and business objectives, ensuring that security investments target the areas of greatest risk first.
This strategic approach helps organizations avoid common assessment pitfalls while developing more effective and cost-efficient security programs.
Next, Create Your Incident Response Plan
An incident response plan details the policies and procedures to follow at each phase in the incident response lifecycle, the roles and responsibilities of each responder, the proper communication channels to follow, the goals for recovery, and anything else that might be useful.
Incident response plans are made during phase one, enacted during phases two through six, and reviewed during phase seven. Then the cycle begins again with improvements to the plan.
Creating a plan starts by picking a framework to follow, such as the NIST incident response cycle. Then follow a template to ensure you check all the boxes in each phase and create policies that expedite incident response and safeguard the recovery process.
All companies, regardless of size or tech orientation, need an incident response plan that evolves rather than one that sits static or, even worse, doesn’t exist.
$35/MO PER DEVICE
Enterprise Security Built For Small Business
Defy your attackers with Defiance XDR™, a fully managed security solution delivered in one affordable subscription plan.
How PurpleSec Helps Small Businesses Respond To Security Incidents
Small businesses don’t have to struggle with incident response or accept elevated cyber risk. With Definace XDR, a managed extended detection and response (XDR) solution from PurpleSec, any business can rely on enterprise-grade incident response.
Not only does this solution improve the speed and scope of incident response while reducing the cost and burden, it also helps small businesses immediately improve at each phase in the incident response lifecycle:
- Preparation: We continually refine our tools, improve our methods, and study threat intelligence in preparation for anything and everything.
- Detection: Our proprietary technology integrates multiple tools and data sources to extend detection across the attack surface and improve the detection of evasive attacks.
- Analysis: We use automation to collect more data, analyze it faster, and extract more intelligence to assist with incident response.
- Containment: Defiance XDR automatically contains threats or alerts one of our experts when a threat requires an active, human-led response.
- Eradication: The combination of automation from our technology and expertise from our team ensures that eradication leaves systems completely clean.
- Recovery: With our team handling detection and response while advising about incident response, recovery is faster and more reliable.
- Review: After each incident, we review our own performance, and we advise you where and how to change cybersecurity controls to prevent another incident.
Designed to make incident response easy, affordable, and (most importantly) effective for small businesses, Defiance XDR from Purplesec checks every box and optimizes every phase.
Don’t leave your organization exposed. Don’t waste precious resources, either. Upgrade incident response with Definace XDR from PurpleSec, and further streamline your security journey by adding virtual CISO services.
Article by
Joshua is a diversely-skilled cybersecurity professional with over a decade of cybersecurity experience previously working for the Department of Defense.