0xnhl

Back

Incident Response

Created: 1/12/2026 Updated: 1/12/2026

Incident#

An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures or acceptable use policies

Incident Response Lifecycle#

Incident lifecycle frameworks provide a structure to support incident response operations. Frameworks help organizations develop a standardized approach to their incident response process, so that incidents are managed in an effective and consistent way. There are many different types of frameworks that organizations can adopt and modify according to their needs. eg: NIST CSF

The NIST incident response lifecycle is another NIST framework with additional substeps dedicated to incident response. 
It begins with preparation. Next, detection and analysis, and then containment, eradication and recovery, and finally post-incident activity.

Incident response playbook#

Incident response is an organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach.
An incident response playbook is a guide with six phases used to help mitigate and manage security incidents from beginning to end.

  1. Preparation: Organizations must prepare to mitigate the likelihood, risk, and impact of a security incident by documenting procedures, establishing staffing plans, and educating users.
  2. Detection and analysis: The objective of this phase is to detect and analyze events using defined processes and technology to determine whether a breach has occurred and analyze its possible magnitude.
  3. Containment: The goal of containment is to prevent further damage and reduce the immediate impact of a security incident.
  4. Eradication and recovery: involves the complete removal of an incident’s artifacts so that an organization can return to normal operations.
  5. Post-incident activity: includes documenting the incident, informing organizational leadership, and applying lessons learned to ensure that an organization is better prepared to handle future incidents.
  6. Coordination: involves reporting incidents and sharing information, throughout the incident response process, based on the organization’s established standards. It ensures that organizations meet compliance requirements and it allows for coordinated response and resolution.

Playbooks are generally used alongside SIEM tools. If, for example, unusual user behavior is flagged by a SIEM tool, a playbook provides analysts with instructions about how to address the issue.
SOAR tools are similar to SIEM tools in that they are used for threat monitoring. SOAR is a piece of software used to automate repetitive tasks generated by tools such as a SIEM or managed detection and response (MDR). For example, if a user attempts to log into their computer too many times with the wrong password, a SOAR would automatically block their account to stop a possible intrusion.

Incident response Documentation#

Security teams use documentation to support investigations, complete tasks, and communicate findings.
Effective documentation has three benefits: Transparency, Standardization, Clarity

At a minimum, incident response documentation should describe the incident by covering the 5 W’s of incident investigation: who, what, where, why, and when.
The details that are captured during incident response are important for developing additional documents during the end of the lifecycle.

Computer security incident response teams (CSIRT)#

A specialized group of security professionals that are trained in incident management and response.
The goals of CSIRTs are to effectively and efficiently manage incidents, prevent future incidents from occurring, and provide services and resources for response and recovery.

For incident response to be effective and efficient, there must be clear command, control, and communication of the situation to achieve the desired goal. 

  • Command refers to having the appropriate leadership and direction to oversee the response.
  • Control refers to the ability to manage technical aspects during incident response, like coordinating resources and assigning tasks.
  • Communication refers to the ability to keep stakeholders informed.

Roles in CSIRT:#

Security analyst#

The job of the security analyst is to continuously monitor an environment for any security threats. This includes: 

  • Analyzing and triaging alerts
  • Performing root-cause investigations
  • Escalating or resolving alerts 
    If a critical threat is identified, then analysts escalate it to the appropriate team lead, such as the technical lead.

Technical lead#

The job of the technical lead is to manage all of the technical aspects of the incident response process, such as applying software patches or updates. They do this by first determining the root cause of the incident. Then, they create and implement the strategies for containing, eradicating, and recovering from the incident. Technical leads often collaborate with other teams to ensure their incident response priorities align with business priorities, such as reducing disruptions for customers or returning to normal operations.

Incident coordinator#

Responding to an incident also requires cross-collaboration with nonsecurity professionals. CSIRTs will often consult with and leverage the expertise of members from external departments. The job of the incident coordinator is to coordinate with the relevant departments during a security incident. By doing so, the lines of communication are open and clear, and all personnel are made aware of the incident status. Incident coordinators can also be found in other teams, like the SOC.

Other roles#

Depending on the organization, many other roles can be found in a CSIRT, including a dedicated communications lead, a legal lead, a planning lead, and more.

Security Operations Centre - SOC#

Incident response tools#

Incident Response Plan#

A document that outlines the procedures to take in each step of incident response

Post-incident review#

The Post-incident activity phase of the NIST Incident Response Lifecycle is the process of reviewing an incident to identify areas for improvement during incident handling.
This is typically done through a lessons learned meeting, also known as a post-mortem. A lessons learned meeting includes all involved parties after a major incident. The purpose of this meeting is to evaluate the incident in its entirety, assess the response actions, and identify any areas of improvement. It provides an opportunity for an organization and its people to learn and improve, not to assign blame. This meeting should be scheduled no later than two weeks after an incident has been successfully remediated.

Final report#

One of the most essential forms of documentation that gets created during the end of an incident is the final report. The final report provides a comprehensive review of an incident. Final reports are not standardized, and their formats can vary across organizations. Additionally, multiple final reports can be created depending on the audience it’s written for. Here are some examples of common elements found in a final report:

  • Executive summary: A high-level summary of the report including the key findings and essential facts related to the incident
  • Timeline:  A detailed chronological timeline of the incident that includes timestamps dating the sequence of events that led to the incident
  • Investigation: A compilation of the actions taken during the detection and analysis of the incident. For example, analysis of a network artifact such as a packet capture reveals information about what activities happen on a network.
  • Recommendations: A list of suggested actions for future prevention