incident response

Incident Response Guidebook: All you need to know

Reading Time: 3 minutes

Cybercrime has been gaining track over recent years and is becoming the new reality in business enterprises all over the world. It is, therefore, not a matter of if a company will be targeted by cybercriminals, but when the attack will occur. Hence, it is prudent for all organizations to have a pre-emptive approach to handling and responding to cybercrime incidents for them to minimize downtime and damage costs. A cybercrime incident response, therefore, is a set of guidelines to be followed in the event of a security incident such as a breach to ensure data protection, privacy, and to ensure business continuity.  

Incident Definition

5 Things that make up an Incident Response Plan 

Many organizations have an incident response team that is responsible for coming up with an incident response plan and executing it. A proper incident response plan will: 

  • Define controls involved in the mitigation of breaches and incidents and the reduction of their impact. 
  • Ensure the organization has the ability and resources needed to combat security incidents such as a specialized and professional team, or Cyber Incident Response Team (CIRT). 
  • At the occurrence of a security incident, the response team needs to prioritize what needs to be addressed immediately and what can be delayed. 
  • The scope of the response plan, as well as the response policy and roles of all members of the response team. 
  • Include all necessary procedures defining appropriate responses to incidents as well as strategies for incident reporting in case the need arises to report incidences to authorities depending on the industry regulations. 

4 Phases of an Incident Response Plan 

When an incident occurs, it is crucial to follow an incident response plan which helps guide all predefined processes and phases to follow. These phases ensure order in execution since, during a live incident, a frenzy of activities can occur which can reduce the productivity of the response procedure. NIST modeled an incident response plan in four main phases which include: Scoping, Incident Response, Recovery, and Post Incident Review: 


  • Phase I: PLANNING – this is planning the procedures in response to and mitigation of security incidents.                        
  • Phase II: DETECTION AND ANALYSIS this encompasses scoping of the initial threat detection and monitoring of potential malicious activities, and analysis of the threat. Threat detection forms one of the most critical phases in the response plan as analysis on the type of response plan needed is undertaken as well as accounting for the necessary prioritization.  
  • Phase III: CONTAINMENT, ERADICATION, AND RECOVERY – this will entail the development of attack containment strategy, identifying all affected systems, and mitigating the attack, proper documentation, and evidence collection, and developing a remediation and recovery procedure to enable the return of normal operations hence ensuring business continuity. 
  • Phase IV: POST- INCIDENT ACTIVITY this involves reviewing actions and lessons learned for improved security measures and also having a plan for evidence retention. 

How to Become a Certified Incident Handler 

“Organizations are looking for professional incident handlers and response personnel who can prepare security policies and plans to tackle incidents with efficacy in time-constrained scenarios in order to reduce the impact of incidents.”Jay Bavisi, President of EC-Council Group. 

Becoming an EC-Council Certified Incident Handler (ECIH) will accomplish just that. The ECIH will teach you the most current techniques in handling attacks, whether it’s as small as a single computer or across an entire network, you will be prepared to stop the attack and prevent future ones. Not only that, but the ECIH will teach the candidate to create draft security policies with efficacy and ensure that the quality of services is maintained at the agreed levels. 


What is AlienVault used for?

AlienVault USM Appliance is a self-hosted appliance option for organizations that require an on-premises solution. It provides security monitoring for physical and virtual on-premises infrastructure only. 

What is incident handling process?

Incident response (IR) is a structured methodology for handling security incidents, breaches, and cyber threats. A well-defined incident response plan allows you to effectively identify, minimize the damage, and reduce the cost of a cyber attack, while finding and fixing the cause to prevent future attacks. 

What should an incident response plan include?

An incident response plan often includes: A list of roles and responsibilities for the incident response team members. A business continuity plan. A summary of the tools, technologies, and physical resources that must be in place.

get certified from ec-council
Write for Us