What Is Cybersecurity Incident Response?

Incident response in cybersecurity is designed to minimize recovery time and costs after a system is compromised by a cyberattack.

Why Is Incident Response in Cybersecurity Important?

The main aim of incident response is to contain a cybersecurity threat, and reduce the cost and recovery time associated with handling a data breach or cyberattack.

Any time a business deals with a data breach or security exploitation, a certain degree of fallout accompanies it. Incident response is initiated to mitigate the damage cybercriminals cause. It ensures that compromised systems are restored and secured, the root cause is addressed and security is reestablished.

Most often, companies institute an incident response plan well in advance of any incident to set guidelines for how to stabilize the business in an effective manner, as well as how to communicate the incident and the company’s response to stakeholders, customers and the general public.

NIST’s Four Phases of Incident Response

The National Institute of Standards and Technology (NIST) recognizes four lifecycle phases that companies work through once a data breach or cyberattack has been discovered. These phases include:

Phase 1: Preparation

The preparation phase involves the work that an organization does to prepare for an incident, including forming an incident response plan, establishing tools , identifying the personnel that will be used to handle the incident and performing tabletop exercises and walkthroughs to ensure all stakeholders know their role and responsibilities in the event of an incident.

Phase 2: Detection and Analysis

Detection and analysis begins the moment a company finds an incident has occurred and begins taking steps to identify the impact and how it occurred.

Phase 3: Containment, Eradication and Recovery

Containment, eradication and recovery is the phase in which the threat has been removed from the system and the team mitigates the effects of the incident in the most effective way possible.

Phase 4: Post-Incident Activity

Finally, post-incident activity involves taking an in-depth look at both the incident and the response to prevent incidents from happening in the future.

Atlassian’s Incident Response Lifecycle

Atlassian recommends seven steps, known as the incident response lifecycle, for responding to compromised systems. These steps include:

1. Detect the Incident

Incident detection includes monitoring processes, alert tools, or staff members who bring attention to an issue that leads to the confirmation of an incident such as an attack or a breach.

2. Set Up Team Communication Channels

Setting up internal communication channels involves creating a place for all communication between incident response team members to occur, such as Slack channels or video conferencing links.

3. Assess the Impact and Apply a Severity Level

Next, teams will use detection tools and internal or external knowledge to assess the impact of the incident.

4. Communicate With Customers

From here, communication with customers and stakeholders is critical to maintain trust and ensure they can take any measures to protect themselves from data exposed by the breach. Note however that the timing of customer communication about the incident will depend on jurisdiction and legal advice.

5. Escalate to the Right Responders

The next step is to bring in any additional help required to reduce the damage of and time spent handling the incident.

6. Delegate Incident Response Roles

As the incident response teams assemble, roles are assigned so multiple parties may respond simultaneously.

7. Resolve the Incident

Finally, the team is focused on resolving the incident so that it is no longer impacting the business and stability returns. Teams then begin cleanup and response analysis measures.

Frequently Asked Questions