Incident Response & Recovery — Cybersecurity Fundamentals

3 AM. Your phone buzzes.

"We have a problem." The message is from your company's monitoring system. Unusual login activity detected — 47 accounts accessed from an IP address in Eastern Europe in the last 20 minutes. Customer data is being exfiltrated. Right now.

What do you do? Do you shut down the servers? Call the CEO? Contact the FBI? Start investigating? All of the above?

If you do not have an incident response plan, the answer is panic. And panic is exactly what turns a containable incident into a headline-making disaster.

The companies that survive breaches are not the ones that never get hacked (everyone gets hacked). They are the ones that had a plan, practiced it, and executed it under pressure — like a fire drill, except the building is actually on fire.

258 daysaverage time to detect a breach (IBM, 2024)

5Maverage cost of a data breach in USD (IBM, 2024)

54%lower cost with an IR team and tested plan (IBM, 2024)

What is incident response?

Incident response (IR) is the organized approach to addressing and managing a security breach or cyberattack. The goal: minimize damage, reduce recovery time, and learn from the incident to prevent it from happening again.

Think of it as emergency medicine for computers. When someone has a heart attack, paramedics do not improvise. They follow a protocol: assess, stabilize, transport, treat. Incident response is the same — a rehearsed sequence that works under pressure because you have practiced it when things were calm.

There Are No Dumb Questions

Does every company need an incident response plan?

Yes. It does not matter if you are 5 employees or 50,000. If you use technology and store data, you will face a security incident. The question is not "if" but "when" — and whether you will be ready.

What counts as a "security incident"?

Any event that threatens the confidentiality, integrity, or availability of your data or systems. This includes: unauthorized access, malware infection, data breach, DDoS attack, insider threat, ransomware, phishing success, lost/stolen device with sensitive data, and more.

The 6 phases of incident response

The NIST framework defines six phases. Every IR plan follows this structure:

1. Preparation — Build the team, write the plan, set up tools, and practice BEFORE an incident happens. This is 90% of IR success.

2. Detection & Analysis — Identify that something is wrong. Determine the scope: what systems, what data, how bad?

3. Containment — Stop the bleeding. Isolate affected systems so the attack cannot spread. Short-term (disconnect the server) and long-term (patch the vulnerability).

4. Eradication — Remove the threat completely. Delete malware, close backdoors, patch the vulnerability that was exploited.

5. Recovery — Restore systems to normal operation. Verify they are clean. Monitor closely for any sign the attacker is still present.

6. Lessons Learned — The most important phase that most teams skip. What happened? Why? What would we do differently? Update the plan.

Phase 1: Preparation

This is where 90% of IR success is determined — BEFORE anything happens.

Preparation element	What it means
IR team	Who is on the team? Who leads? Who communicates externally?
Contact list	Phone numbers for: IR team, management, legal, PR, law enforcement, cyber insurance
Playbooks	Step-by-step guides for common scenarios (ransomware, data breach, insider threat)
Tools	Forensic tools, log analysis, backup verification, communication channels
Training	Regular tabletop exercises (walk through a scenario as a team)
Legal readiness	Know your notification obligations (72 hours under GDPR, varies by US state)

🔑Tabletop exercises

A tabletop exercise is like a fire drill for cybersecurity. The team gathers, someone describes a scenario ("An employee clicked a phishing link, and now ransomware is spreading"), and each person walks through what they would do. No actual systems are involved — it is purely a discussion exercise. Teams that do this quarterly respond 50% faster to real incidents.

Phases 2-5: When it happens

Detection

Most breaches are not detected by the victim. They are reported by a third party (law enforcement, a customer, a security researcher). The average detection time is 258 days. That means attackers have been inside your network for 9 months before you notice.

Detection tools:

SIEM (Security Information and Event Management) — aggregates logs, spots anomalies
EDR (Endpoint Detection and Response) — monitors devices for suspicious behavior
IDS/IPS — monitors network traffic for known attack patterns
User reports — sometimes the alert is "my files are encrypted and there is a ransom note"

Containment

The first instinct is to shut everything down. Resist it. Shutting down servers destroys forensic evidence. Instead:

✗ Without AI

✗Shut down all servers
✗Wipe everything and rebuild
✗Post on social media
✗Call everyone in the company

✓ With AI

✓Isolate affected systems from the network
✓Preserve evidence for forensic analysis
✓Notify IR team lead and legal
✓Communicate only through secure channels

Eradication and Recovery

Once contained, remove the threat (delete malware, revoke compromised credentials, patch vulnerabilities) and restore from clean backups. Monitor intensely for 30-90 days — attackers often have backup access methods.

⚡

Incident response scenario

25 XP

It is Tuesday afternoon. A user reports that all the files on their desktop have been renamed to `.encrypted` and a text file demands 2 Bitcoin for decryption. Walk through the 6 IR phases for this ransomware attack: 1. What preparation should have been in place? 2. How would you detect and confirm this is ransomware? 3. What is your immediate containment action? 4. How do you eradicate the ransomware? 5. How do you recover the files? 6. What lessons learned would you document?

Phase 6: Lessons learned (the one everyone skips)

After the crisis is over, everyone wants to move on. Do not let them. The post-incident review is where you prevent the NEXT incident.

Questions to answer:

What happened? (timeline of events)
How did the attacker get in?
How long were they inside before detection?
What worked in our response? What did not?
Were our playbooks adequate? What was missing?
What technical changes do we need? (patching, segmentation, monitoring)
What process changes do we need? (training, access controls, communication)
Do we need to update our IR plan?

⚠️No blame, only improvement

The post-incident review is NOT about blaming the employee who clicked the phishing link. It is about understanding why the phishing email reached them, why their click led to a breach, and what systemic controls would prevent it next time. Blame culture drives incidents underground. Learning culture prevents them.

⚡

Build your IR plan

50 XP

You are the new IT security lead at a 100-person company. They have never had an incident response plan. Create the skeleton: 1. Who is on your IR team? (list 5 roles) 2. What 3 scenarios do you write playbooks for first? 3. What tools do you need? 4. How often will you run tabletop exercises? 5. What is your communication plan? (who gets told what, when) 6. What is your first call — legal, management, or technical?

Back to the 3 AM phone call

Forty-seven accounts accessed from Eastern Europe. Customer data being exfiltrated in real time. If your team had an incident response plan — roles assigned, playbooks written, communication templates ready — the first call would have been to the IR lead, containment would have started within minutes, and evidence would have been preserved for the investigation. Without a plan, that 3 AM phone call produces panic, and panic is what turns a containable incident into a headline. The companies that survive breaches are not the ones that never get hacked; they are the ones that practiced the fire drill before the building caught fire.

Key takeaways

Incident response is the organized approach to handling security breaches — like emergency medicine for computers
The 6 NIST phases: Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned
Preparation is 90% of success — build the team, write playbooks, practice with tabletop exercises
Average breach takes 258 days to detect — invest in SIEM, EDR, and monitoring
Contain first, then eradicate — do not destroy evidence by shutting everything down
Lessons learned is the most important phase — no blame, only improvement
Companies with tested IR plans save 54% on breach costs

Knowledge Check

1.What is the most important phase of incident response?

2.Why should you NOT immediately shut down all servers during a breach?

3.What is a tabletop exercise?

4.What is the purpose of the Lessons Learned phase?