The Incident Response Lifecycle
NIST SP 800-61 defines four phases of incident response that every organization's plan must address:
- Preparation: Building the capability to respond before an incident occurs
- Detection & Analysis: Identifying and confirming that an incident has occurred
- Containment, Eradication & Recovery: Stopping the attack, removing the threat, and restoring operations
- Post-Incident Activity: Learning from the incident to prevent recurrence
Phase 1 — Preparation
Preparation is the most important phase — and the one most organizations neglect until after their first significant breach. Preparation includes:
- Incident Response Plan (IRP): A documented, board-approved plan defining roles, responsibilities, communication protocols, escalation chains, and decision trees for every class of incident
- Incident Response Team (IRT): Named individuals from IT security, legal, communications, HR, executive management, and external forensic counsel — with backup personnel identified for each role
- Tool readiness: Forensic imaging tools, network capture capability, secure communication channels (assume email may be compromised during an incident), and isolated investigation systems
- Tabletop exercises: Simulated incident scenarios practiced by the full response team at least annually — with findings documented and the plan updated accordingly
- Backup integrity: Confirmed, tested, offline backups with documented restoration procedures and measured recovery time objectives (RTO)
Phase 2 — Detection & Analysis
Not all incidents are obvious. Many advanced persistent threats operate silently for months before triggering a detectable event. Effective detection requires:
- SIEM (Security Information & Event Management): Centralizes log data from across the environment and applies correlation rules to detect patterns indicative of attacks
- 24/7 monitoring: Attacks do not follow business hours. Alert coverage must span the full week including weekends and public holidays
- Incident classification: Not every alert is an incident. Define severity levels (P1 through P4) with corresponding response timelines and escalation triggers
- Chain of custody from first detection: Every action taken during detection must be logged with timestamps — this documentation may be required for legal proceedings
Phase 3 — Containment, Eradication & Recovery
Containment
The immediate priority is stopping the spread. Containment decisions must balance operational continuity against breach expansion — isolating affected systems while preserving evidence.
- Network isolation of confirmed compromised systems
- Credential rotation for all potentially exposed accounts
- Preservation of volatile memory and system state before any remediation
- Activation of out-of-band communication channels
Eradication
After containment, the threat must be completely removed from the environment. Premature declaration of eradication is one of the most common and costly incident response failures.
- Full forensic investigation to identify all affected systems and the initial attack vector
- Removal of all malware, backdoors, and attacker-created accounts
- Vulnerability patching to close the initial entry point
- Verification that no persistence mechanisms remain
Recovery
Restoration of systems to normal operation must be methodical and verified — not rushed by business pressure.
- Restore from confirmed clean backups — not from potentially compromised images
- Monitor restored systems intensively for 30 days post-recovery
- Verify system integrity before returning to production
- Document all regulatory notification obligations and timelines (NDPC Act 2023 for Nigerian organizations)
Phase 4 — Post-Incident Review
A formal lessons-learned review conducted within two weeks of incident closure is non-negotiable. Every incident — however minor — provides intelligence that improves future response capability.
- Root cause analysis: What was the initial entry point? Why was it available?
- Detection gap analysis: When did the incident actually begin vs. when it was detected?
- Response effectiveness: What worked? What delayed the response?
- Control improvements: What new controls would have prevented or detected this incident earlier?
- Plan updates: The incident response plan must be updated to reflect every lesson learned
Key Takeaway
A cyber incident response plan is not an IT document — it is an organizational survival plan. Build it, test it, and practice it before you need it. The organizations that emerge from cyber incidents with their reputation and operations intact are not the lucky ones — they are the prepared ones.
Read: Phishing & Social Engineering →