Cybersecurity

Cyber Incident Response: What to Do When You Are Attacked

Every organization will experience a cyber incident. The difference between a manageable disruption and a catastrophic breach is the quality of your incident response plan. This guide covers the complete incident response lifecycle aligned to NIST SP 800-61 and ISO/IEC 27035.

"It is not a question of if you will be attacked. It is a question of how well you will respond when you are."
Cyber incident response is the organized approach to addressing and managing the aftermath of a security breach or cyberattack. An effective incident response plan minimizes damage, reduces recovery time and costs, and preserves evidence for potential legal proceedings. This guide covers the complete lifecycle aligned to NIST Special Publication 800-61 Revision 2 and ISO/IEC 27035 standards.

The Incident Response Lifecycle

NIST SP 800-61 defines four phases of incident response that every organization's plan must address:

  • Preparation: Building the capability to respond before an incident occurs
  • Detection & Analysis: Identifying and confirming that an incident has occurred
  • Containment, Eradication & Recovery: Stopping the attack, removing the threat, and restoring operations
  • Post-Incident Activity: Learning from the incident to prevent recurrence

Phase 1 — Preparation

Preparation is the most important phase — and the one most organizations neglect until after their first significant breach. Preparation includes:

  • Incident Response Plan (IRP): A documented, board-approved plan defining roles, responsibilities, communication protocols, escalation chains, and decision trees for every class of incident
  • Incident Response Team (IRT): Named individuals from IT security, legal, communications, HR, executive management, and external forensic counsel — with backup personnel identified for each role
  • Tool readiness: Forensic imaging tools, network capture capability, secure communication channels (assume email may be compromised during an incident), and isolated investigation systems
  • Tabletop exercises: Simulated incident scenarios practiced by the full response team at least annually — with findings documented and the plan updated accordingly
  • Backup integrity: Confirmed, tested, offline backups with documented restoration procedures and measured recovery time objectives (RTO)

Phase 2 — Detection & Analysis

Not all incidents are obvious. Many advanced persistent threats operate silently for months before triggering a detectable event. Effective detection requires:

  • SIEM (Security Information & Event Management): Centralizes log data from across the environment and applies correlation rules to detect patterns indicative of attacks
  • 24/7 monitoring: Attacks do not follow business hours. Alert coverage must span the full week including weekends and public holidays
  • Incident classification: Not every alert is an incident. Define severity levels (P1 through P4) with corresponding response timelines and escalation triggers
  • Chain of custody from first detection: Every action taken during detection must be logged with timestamps — this documentation may be required for legal proceedings

Phase 3 — Containment, Eradication & Recovery

Containment

The immediate priority is stopping the spread. Containment decisions must balance operational continuity against breach expansion — isolating affected systems while preserving evidence.

  • Network isolation of confirmed compromised systems
  • Credential rotation for all potentially exposed accounts
  • Preservation of volatile memory and system state before any remediation
  • Activation of out-of-band communication channels

Eradication

After containment, the threat must be completely removed from the environment. Premature declaration of eradication is one of the most common and costly incident response failures.

  • Full forensic investigation to identify all affected systems and the initial attack vector
  • Removal of all malware, backdoors, and attacker-created accounts
  • Vulnerability patching to close the initial entry point
  • Verification that no persistence mechanisms remain

Recovery

Restoration of systems to normal operation must be methodical and verified — not rushed by business pressure.

  • Restore from confirmed clean backups — not from potentially compromised images
  • Monitor restored systems intensively for 30 days post-recovery
  • Verify system integrity before returning to production
  • Document all regulatory notification obligations and timelines (NDPC Act 2023 for Nigerian organizations)

Phase 4 — Post-Incident Review

A formal lessons-learned review conducted within two weeks of incident closure is non-negotiable. Every incident — however minor — provides intelligence that improves future response capability.

  • Root cause analysis: What was the initial entry point? Why was it available?
  • Detection gap analysis: When did the incident actually begin vs. when it was detected?
  • Response effectiveness: What worked? What delayed the response?
  • Control improvements: What new controls would have prevented or detected this incident earlier?
  • Plan updates: The incident response plan must be updated to reflect every lesson learned
Nigerian Regulatory Context
The Nigeria Data Protection Act 2023 (NDPA) requires organizations to notify the Nigeria Data Protection Commission (NDPC) of data breaches affecting personal data within 72 hours of becoming aware of the breach. This notification obligation must be built into your incident response plan before an incident occurs — not researched during one.

Key Takeaway

A cyber incident response plan is not an IT document — it is an organizational survival plan. Build it, test it, and practice it before you need it. The organizations that emerge from cyber incidents with their reputation and operations intact are not the lucky ones — they are the prepared ones.

Read: Phishing & Social Engineering →