Despite your best defenses, breaches happen. How you respond in the first hours determines whether an incident becomes a minor inconvenience or a catastrophic breach. This guide gives you the incident response fundamentals every organization needs.
The NIST Incident Response Lifecycle
The National Institute of Standards and Technology (NIST) defines four phases of incident response:
- Preparation — Building your capabilities before an incident
- Detection & Analysis — Identifying and understanding the incident
- Containment, Eradication & Recovery — Stopping the damage and restoring systems
- Post-Incident Activity — Learning from what happened
Phase 1: Preparation (Do This Before an Incident)
# Incident Response Plan essentials:
# Document these BEFORE an incident occurs:
1. Contact list with phone numbers (not just email — email might be compromised)
- Internal: IT lead, management, legal, PR
- External: Cyber insurance provider, forensics firm, legal counsel
- Law enforcement: FBI (1-855-292-3937), local police
2. Asset inventory
- What systems exist? Where are they? Who owns them?
- Without this, you can't scope an incident
3. Backup verification
- Where are backups? Are they tested? Are they offline?
- Confirm this now — not during a ransomware attack
4. IR playbooks for common scenarios
- Ransomware playbook
- Data breach playbook
- Phishing click playbook
5. Legal requirements
- What breach notification laws apply to you?
- GDPR: notify within 72 hours
- HIPAA: notify within 60 days
- Various US state laws (CA, NY, TX all have breach notification requirements)Phase 2: Detection and Analysis
Initial Signs of a Compromise
# Warning signs to investigate immediately:
# - Antivirus/EDR alerts you haven't seen before
# - Unusual network traffic (large outbound data, connections to unknown IPs)
# - Account lockouts or failed login spikes
# - Employees can't access their files (ransomware)
# - Unusual processes running on servers
# - New admin accounts you didn't create
# - Log gaps or deleted event logs (attacker covering tracks)
# Windows: Check for unusual processes and connections
# Suspicious network connections:
netstat -anob | findstr ESTABLISHED
# Running processes with network connections:
Get-Process | Where-Object {$_.MainWindowHandle -ne 0}
# Check for unusual scheduled tasks:
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"} | Format-List
# Linux: Check for unusual activity
# Running processes:
ps auxf | grep -v "[" | sort -k%cpu -rn | head 20
# Network connections:
ss -antup | grep ESTABLISHED
# Recently modified files (last 24 hours):
find / -mtime -1 -type f 2>/dev/null | grep -v /proc | grep -v /sysScoping the Incident
# Answer these questions to understand the scope:
# 1. When did it start? (check logs, file timestamps)
# 2. What systems are affected?
# 3. What data may have been accessed or exfiltrated?
# 4. Is the attacker still active?
# Check Windows Security Event Log for initial compromise:
# Event ID 4624 = Successful login
# Event ID 4625 = Failed login
# Event ID 4720 = New user account created
# Event ID 4732 = User added to privileged group
# Query PowerShell:
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = @(4624, 4720, 4732)
StartTime = (Get-Date).AddDays(-7)
} | Select-Object TimeCreated, Id, Message | Format-ListPhase 3: Containment
# Containment strategies depend on the situation:
# Short-term containment (immediate):
# - Isolate affected systems from the network
# Linux: ip link set eth0 down
# Windows: netsh interface set interface "Ethernet" admin=disabled
# - Disable compromised accounts
# Active Directory: Disable-ADAccount -Identity compromised_user
# - Block attacker's known IP at firewall
# - Preserve evidence BEFORE making changes (take disk image first if possible)
# Evidence preservation commands:
# Windows memory dump:
winpmem.exe memory.dmp
# Linux memory dump:
sudo dd if=/proc/kcore of=/evidence/memory.dmp bs=1M
# Network packet capture (run before isolating):
tcpdump -i eth0 -w /evidence/capture.pcap
# Eradication (removing attacker presence):
# - Remove malware (use AV scan + manual inspection)
# - Delete unauthorized accounts
# - Remove persistence mechanisms:
# - Scheduled tasks
# - Registry run keys (Windows)
# - Cron jobs (Linux)
# - Modified system filesPhase 4: Recovery
# Recovery checklist:
# 1. Restore from clean backups (verify backups are from before compromise)
# 2. Rebuild compromised systems from scratch (preferred over "cleaning")
# 3. Patch the vulnerability that was exploited
# 4. Reset credentials for all potentially compromised accounts
# 5. Implement additional monitoring to detect re-compromise
# 6. Gradually reconnect systems, monitoring closely
# Validate recovery:
# - Run vulnerability scans on restored systems
# - Verify backup integrity
# - Confirm malware is not present
# - Monitor for 30 days post-recovery for signs of persistencePost-Incident: The Lessons Learned Meeting
# Within 2 weeks of resolution, hold a blameless post-mortem:
Questions to answer:
1. What happened exactly? (Timeline of events)
2. How was it detected? Was detection fast enough?
3. What was the initial entry point?
4. What could have prevented this?
5. What slowed our response?
6. What improvements do we commit to?
# Output: Documented findings + action items with owners and deadlines
# Share relevant findings with peers (ISACs for your industry)
# Update IR plan based on lessons learnedFree Incident Response Resources
- TheHive — Free open-source SOAR/case management platform for IR
- MITRE ATT&CK — attack.mitre.org — Framework mapping attacker techniques
- Velociraptor — Free endpoint visibility tool for IR investigations
- CISA Free IR Services — CISA offers free IR assistance to critical infrastructure organizations
- NIST SP 800-61r2 — Free Computer Security Incident Handling Guide from NIST
Wrap Up
The organizations that handle breaches best are those that prepared for them first. Build your IR plan, test it with tabletop exercises, ensure your backups work, and know who to call before you need them. When the alarm goes off at 3 AM, a practiced response saves hours and millions of dollars.