Incident Response & Recovery

3 AM. Your phone buzzes.

"We have a problem." The message is from your company's monitoring system. Unusual login activity detected — 47 accounts accessed from an IP address in Eastern Europe in the last 20 minutes. Customer data is being exfiltrated. Right now.

What do you do? Do you shut down the servers? Call the CEO? Contact the FBI? Start investigating? All of the above?

If you do not have an incident response plan, the answer is panic. And panic is exactly what turns a containable incident into a headline-making disaster.

The companies that survive breaches are not the ones that never get hacked (everyone gets hacked). They are the ones that had a plan, practiced it, and executed it under pressure — like a fire drill, except the building is actually on fire.

💡What you'll walk away with

By the end of this module you will be able to walk through the six NIST incident response phases, explain why preparation determines 90% of success, design a tabletop exercise for your team, build a skeleton IR plan for a 100-person company, and articulate why lessons learned — the phase most teams skip — is the most important one. This is the playbook that turns chaos into control.

258 daysaverage time to detect a breach (IBM, 2024)source ↗

5Maverage cost of a data breach in USD (IBM, 2024)source ↗

54%lower cost with an IR team and tested plan (IBM, 2024)source ↗

What is incident response?

In the previous module, you learned that frameworks like NIST, SOC 2, and ISO 27001 all require a documented incident response plan. You also saw in Module 1 that defense in depth includes an "escape plan" — the rehearsed response to a breach. This module is that escape plan in full detail.

Incident response (IR) is the organized approach to addressing and managing a security breach or cyberattack. The goal: minimize damage, reduce recovery time, and learn from the incident to prevent it from happening again.

Think of it as emergency medicine for computers. When someone has a heart attack, paramedics do not improvise. They follow a protocol: assess, stabilize, transport, treat. Incident response is the same — a rehearsed sequence that works under pressure because you have practiced it when things were calm.

There Are No Dumb Questions

Does every company need an incident response plan?

Yes. It does not matter if you are 5 employees or 50,000. If you use technology and store data, you will face a security incident. The question is not "if" but "when" — and whether you will be ready.

What counts as a "security incident"?

Any event that threatens the confidentiality, integrity, or availability of your data or systems. This includes: unauthorized access, malware infection, data breach, DDoS attack, insider threat, ransomware, phishing success, lost/stolen device with sensitive data, and more.

The 6 phases of incident response

The NIST framework defines six phases. Every IR plan follows this structure:

1. Preparation — Build the team, write the plan, set up tools, and practice BEFORE an incident happens. This is 90% of IR success.

2. Detection & Analysis — Identify that something is wrong. Determine the scope: what systems, what data, how bad?

3. Containment — Stop the bleeding. Isolate affected systems so the attack cannot spread. Short-term (disconnect the server) and long-term (patch the vulnerability).

4. Eradication — Remove the threat completely. Delete malware, close backdoors, patch the vulnerability that was exploited.

5. Recovery — Restore systems to normal operation. Verify they are clean. Monitor closely for any sign the attacker is still present.

6. Lessons Learned — The most important phase that most teams skip. What happened? Why? What would we do differently? Update the plan.

Phase 1: Preparation

This is where 90% of IR success is determined — BEFORE anything happens.

Preparation element	What it means
IR team	Who is on the team? Who leads? Who communicates externally?
Contact list	Phone numbers for: IR team, management, legal, PR, law enforcement, cyber insurance
Playbooks	Step-by-step guides for common scenarios (ransomware, data breach, insider threat)
Tools	Forensic tools, log analysis, backup verification, communication channels
Training	Regular tabletop exercises (walk through a scenario as a team)
Legal readiness	Know your notification obligations (72 hours under GDPR, varies by US state)

🔑Tabletop exercises

A tabletop exercise is like a fire drill for cybersecurity. The team gathers, someone describes a scenario ("An employee clicked a phishing link, and now ransomware is spreading"), and each person walks through what they would do. No actual systems are involved — it is purely a discussion exercise. Teams that do this quarterly respond 50% faster to real incidents.

Phases 2-5: When it happens

Detection

Here is what a real breach timeline looks like — notice how long attackers stay hidden:

Most breaches are not detected by the victim. They are reported by a third party (law enforcement, a customer, a security researcher). The average detection time is 258 days. That means attackers have been inside your network for 9 months before you notice.

Detection tools:

SIEM (Security Information and Event Management) — aggregates logs, spots anomalies
EDR (Endpoint Detection and Response) — monitors devices for suspicious behavior
IDS/IPS — monitors network traffic for known attack patterns
User reports — sometimes the alert is "my files are encrypted and there is a ransom note"

Containment

The first instinct is to shut everything down. Resist it. Shutting down servers destroys forensic evidence. Instead:

✗ Panic response

✗Shut down all servers
✗Wipe everything and rebuild
✗Post on social media
✗Call everyone in the company

✓ Controlled containment

✓Isolate affected systems from the network
✓Preserve evidence for forensic analysis
✓Notify IR team lead and legal
✓Communicate only through secure channels

Eradication and Recovery

Once contained, remove the threat completely. This means deleting malware, closing backdoors, revoking compromised credentials, and patching the vulnerability that was exploited. Then restore from clean backups — backups that you have verified are not also compromised.

Monitor intensely for 30-90 days after recovery. Sophisticated attackers often plant multiple backdoors. If you only find one, they walk right back in through the other.

There Are No Dumb Questions

Should we pay the ransom in a ransomware attack?

Law enforcement generally advises against paying. Paying funds criminal organizations, and there is no guarantee you will get your data back — some attackers take the payment and disappear. However, some organizations pay because the alternative (weeks of downtime, lost data, potential loss of life in healthcare settings) is worse. The best answer: have backups tested and ready so you never face this decision.

When do we need to notify law enforcement?

It depends on what was compromised and where you operate. GDPR requires notification to supervisory authorities within 72 hours. US state breach notification laws vary — some require notification within 30 days, others 60. HIPAA requires notifying HHS and affected individuals within 60 days. Your IR plan should have a legal checklist for notification obligations. When in doubt, notify early — regulators punish delayed notification more harshly than the breach itself.

🔒

Classify the IR Phase

25 XP

For each action, identify which incident response phase it belongs to. **Categories:** Preparation | Detection | Containment | Eradication | Recovery | Lessons Learned 1. A security analyst notices unusual login patterns in the SIEM dashboard at 2 AM → ___ 2. The IR team disconnects the compromised server from the network → ___ 3. Engineers delete the malware binary and revoke all compromised API keys → ___ 4. The team conducts a quarterly tabletop exercise simulating a ransomware attack → ___ 5. Systems are restored from last night's backup and monitored for 30 days → ___ 6. The post-incident report recommends adding MFA to all service accounts → ___ _Hint: Detection is about spotting the problem. Containment is about stopping the spread. Eradication removes the threat. Preparation happens before any incident. Recovery restores normal operations. Lessons Learned improves the plan._

🔒

Incident Response Scenario

25 XP

It is Tuesday afternoon. A user reports that all the files on their desktop have been renamed to `.encrypted` and a text file demands 2 Bitcoin for decryption. Walk through the 6 IR phases for this ransomware attack: 1. What preparation should have been in place? 2. How would you detect and confirm this is ransomware? 3. What is your immediate containment action? 4. How do you eradicate the ransomware? 5. How do you recover the files? 6. What lessons learned would you document?

Phase 6: Lessons learned (the one everyone skips)

After the crisis is over, everyone wants to move on. Do not let them. The post-incident review is where you prevent the NEXT incident.

Questions to answer:

What happened? (timeline of events)
How did the attacker get in?
How long were they inside before detection?
What worked in our response? What did not?
Were our playbooks adequate? What was missing?
What technical changes do we need? (patching, segmentation, monitoring)
What process changes do we need? (training, access controls, communication)
Do we need to update our IR plan?

⚠️No blame, only improvement

The post-incident review is NOT about blaming the employee who clicked the phishing link. It is about understanding why the phishing email reached them, why their click led to a breach, and what systemic controls would prevent it next time. Blame culture drives incidents underground. Learning culture prevents them.

🔒

Build your IR plan

50 XP

You are the new IT security lead at a 100-person company. They have never had an incident response plan. Create the skeleton: 1. Who is on your IR team? (list 5 roles) 2. What 3 scenarios do you write playbooks for first? 3. What tools do you need? 4. How often will you run tabletop exercises? 5. What is your communication plan? (who gets told what, when) 6. What is your first call — legal, management, or technical?

Back to the 3 AM phone call

Forty-seven accounts accessed from Eastern Europe. Customer data being exfiltrated in real time. With an incident response plan, the sequence is clear: the on-call analyst (Detection) identifies the anomaly, calls the IR lead, and the team isolates the affected systems within minutes (Containment). Forensics captures memory images and logs before anything is wiped. Legal checks notification obligations. PR prepares a holding statement. The breach is contained, the attacker is locked out, and evidence is preserved for law enforcement.

Without a plan, that same 3 AM phone call produces panic. Someone shuts down the servers and destroys the forensic evidence. Nobody knows who to call. The CEO finds out from Twitter. By morning, the breach is a headline.

The difference between these two outcomes is not technology — it is preparation. The companies that survive breaches are not the ones that never get hacked; they are the ones that practiced the fire drill before the building caught fire.

Key takeaways

Incident response is the organized approach to handling security breaches — like emergency medicine for computers
The 6 NIST phases: Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned
Preparation is 90% of success — build the team, write playbooks, practice with tabletop exercises
Average breach takes 258 days to detect — invest in SIEM, EDR, and monitoring
Contain first, then eradicate — do not destroy evidence by shutting everything down
Lessons learned is the most important phase — no blame, only improvement
Companies with tested IR plans save 54% on breach costs

Next up: You have now learned every pillar of cybersecurity — threats, networks, cryptography, identity, frameworks, and incident response. The final module maps it all to a career. You will discover the eight major cybersecurity roles, the certification roadmap from Security+ to CISSP, five paths to break into the field without a CS degree, and how to build your first 90-day plan.

Knowledge Check

1.What is the most important phase of incident response?

2.Why should you NOT immediately shut down all servers during a breach?

3.What is a tabletop exercise?

4.What is the purpose of the Lessons Learned phase?