Publications & Media

Cyber Security Incident Response Steps – How to prepare for a cybersecurity incident

Cyber Security is the protection of internet-connected systems, including hardware, software and data, from cyber-attacks. 

Protection against unauthorised access to data centres and other computerised systems is something no business can afford to be without today. 

The purpose of cyber security is to help prevent cyber-attacks, data breaches and identity theft. It’s much better to mitigate against an attack than to be well placed to deal with an attack once it happens.  

It is, however, crucial for all businesses to put in place an Incident Response Plan that details exactly what needs to happen in the event of a cyber-attack. A cyber attack should be viewed as a ‘when’ not ‘if’ occurrence so being prepared is crucial. 

What is Incident Response? 

Incident Response is a plan for quickly responding to a cyber security incident. Having a clear and defined plan in place allows companies to deal with the incident in a methodical, controlled manner in order to contain and minimise the damage. 

On a daily basis, companies will face all kinds of potential cyber security threats. From forgotten passwords to unauthorised software downloads, it’s important to recognise each of these incidents and plan for the potential risks involved. 

Issues with failed password attempts can be identified and excluded from your incident response plan

A member of staff triggering a failed login from multiple incorrect password entries, for example, will most likely not trigger an incident response. In this case, it’s important to recognise in the plan the difference between a failed login and an attempt at unauthorised access.  

On the other hand, a member of staff opening a link which triggers malware, malicious software, a virus or other types of malicious material to be distributed across your network should trigger an incident response to quickly shut the problem down and minimise the damage. 

Your Incident Response plan should include a list of all the potential event types with designated boundaries for when each of those events should be investigated. This should then lead to a customised incident response for each of the events with detailed steps showing the actions that need to be taken. Protecting the critical infrastructure should be a priority and this should be highlighted within the incident response plan. 

The importance of Incident Response Steps 

As with all plans, the main purpose is to ensure you’re prepared for ‘when’ an incident happens. Fire fighting a cyber security incident for the first time when it happens is not the time for figuring out your plan. By that stage, it could already be too late if things escalate quickly. 

When you create an Incident Response plan, it’s important to include every potential incident, no matter how big or small, in order to create a full exhaustive plan. When a cyber security incident occurs, it’s a highly stressful situation. An incident response plan can help to reduce the stress in a high-pressure situation and ensure that containment and recovery are quickly executed. 

When faced with a cyber security incident, response time is critical. 

Having an incident response plan in place ensures you minimise the damage as well as helping to guide future plans by recording the learnings. 

Industry Standard Incident Response Frameworks 

Knowing where to start with an incident response framework can be difficult. In the US, there are two institutes whose incident response steps have become industry standard and these same frameworks can be applied to businesses worldwide. 

NIST (National Institute of Standards and Technology) 

NIST are the ‘go-to’ institute when it comes to technology and as the name suggests, standards within technology. They are the current testing body for technologies such as facial recognition and iris recognition – areas where NEC have been ranked as the number one for accuracy. They work across a wide range of areas to do with technology, including cyber security and their industry standard incident response steps plan has become a widely adopted plan for businesses worldwide. 

The NIST Incident Response Process 

1.   Preparation 

2.   Detection and Analysis 

3.   Containment, Eradication, and Recovery 

4.   Post-Incident Activity 

SANS (SysAdmin, Audit, Network and Security) 

SANS are a private organisation that has specialised in security. They describe themselves as “a cooperative research and education organisation” and offer up a very similar incident response process to NIST. Their incident response framework is also widely adopted worldwide. 

The SANS Incident Response Process 

1.   Preparation 

2.   Identification 

3.   Containment 

4.   Eradication 

5.   Recovery 

6.   Lessons Learned 

As you can see, there are two extra steps in the SANS framework, however, these just see an expansion of point three in the NIST framework to separate steps. Which framework you choose comes down to personal preference as you build out your own framework.  If you are comfortable grouping ‘Containment, eradication and recovery’ into one step, then go with the NIST framework. If you prefer your incident response to be more granular, then the SANS framework may work better for you. 

Steps in an Incident Response Plan using the NIST and SANS Frameworks 

Let’s take a closer look at each of the incident response steps in these two industry-standard frameworks so you can get an idea of the steps you need to include in your own plan. 

1.  Preparation 

Both plans include the same opening step: preparation. We’ve already touched on the importance of preparation and the first thing to do at this stage is to identify all your potential threat points and assets including (but not limited to): servers, networks, applications and critical endpoints. This needs to be an exhaustive list. The best-laid plans quickly fall down when you miss a potential threat point and don’t have a plan in place should a cyber security incident impact that asset. 

Once you have a complete list of all assets, rank them in order of importance and then monitor traffic patterns to give you a baseline which you can use for comparison later. 

It’s important to create a very clear communications plan at the planning stage. Who will be responsible for reporting potential cyber security threats and to whom? Then work out the chain of command from there (factoring in leave, absences and staff being off-premise). This chain of command becomes your critical response team and forms the backbone of the incident response plan. 

Company-wide buy-in is crucial

It’s crucial to get company-wide buy-in. Cyber security is the responsibility of every employee within an organisation, not simply the IT Manager and team. It’s important that all members of staff know who to report a potential cyber security threat and then there is a very clear chain of command from that point on. 

Once you have prioritised your assets, you need to identify and determine the potential security events that could impact each asset and at what point these should be investigated. Create an incident response for each of these events and again, make sure this is exhaustive at the planning stage. 

Security simulations are an important part of the planning process. This enables you to check that chain of command communication is seamless and also helps to identify holes in your incident response plan which you can fix before any actual events occur. 

2.  Detection/Identification and Analysis 

As soon as the first report of a potential cyber security incident comes in, that’s when you need to kick into gear and start identifying the issue. Collect as much information as you can from the outset. The more information you have, the better equipped you will be to carry out your response. Determining the entry point and the breadth of the breach will be a crucial part of this identification stage so you can determine the response level. 

3.  Containment, Eradication and Recovery 

This is where the NIST and SANS frameworks diverge, however, the steps included are still identical. For ease, we’ve kept this to the NIST, single-step model. 

Containment, as the name suggests, is all about containing the threat before it has the chance to spread. Early detection (through protection software) is a critical part of containment. Understanding where the threat came from and how big it is allows you to better contain the threat through a patch at the threat’s entry point. 

Eradication is all about removing the threat as quickly as possible. Depending on how well you managed the first stage of containment, eradication can involve removing the threat from one or multiple systems. 

Recovery is all about getting your systems back up and operational if they went down. If they didn’t, it’s all about getting back to business as usual and allowing you to get back to your day job. 

4.  Lessons Learned 

We really like the SANS step name for this final stage. Once you have contained, removed and recovered from the threat, it’s important to take as many learnings from the incident as possible and build these back into your incident response plan. 

This must involve a complete review from start to finish. From detection right through to recovery and including all the steps within your plan. Be super-critical during this review – it’s the only way to learn valuable lessons from the way the incident was handled. 

Unfortunately, cyber-attacks are moving quickly so, despite all your best planning, there may still be incidents you simply can’t plan for. Keep a constant ear to the ground for new and emerging cyber security threats and try and incorporate as many of these as possible into your incident response planning. 


Here at NEC, we have a comprehensive suite of cyber security solutions. These offer a wide range of benefits that help organizations to their brand, value, and reputation against the ever-evolving threat landscape. We will work with you to put an incident response framework in place that is tailored for your business needs and provide the software solutions to support your framework. Talk to one of our team today about cyber security solutions for your business. 

Related Posts


Contact our experts today


Contact Us

  • This field is for validation purposes and should be left unchanged.
  • This field is for validation purposes and should be left unchanged.