Learning Center June 24, 2022

6 Incident Response Best Practices You Should Follow

When it comes to cybersecurity, organizations need to be well-prepared for what comes next. Not only are cybercriminals leveraging ever more advanced technology, but the cost of a breach — in terms of cost, reputation, and damage — is on the rise. Mitigating risk requires having a robust incident response plan in place and dedicated team members on standby.

In this blog, we will explore the following top incident response best practices:

1. Prepare systems and procedures

2. Identify security incidents

3. Contain incident activities and attackers

4. Eradicate threats and re-entry options

5. Recover from incidents

6. Educate and improve future incident response efforts

Let’s take a closer look.

What is incident response and why is it important?

The first line of defense against a cyber attack comes in the form of prevention. Security teams use encryption, passwords, anti-malware, firewalls, and other tools to keep bad actors at bay. No defense is perfect, however, and even the best forms of protection are subject to a breach. This is where incident response comes in.

Incident response refers to the collection of active measures taken during a breach to halt the attack and mitigate the damage. It requires access to real-time notifications or alerts that signal an active threat, followed by a pre-planned set of steps subsequently taken in order to minimize the impact of the breach, protect data, and secure the network again.

It’s vital that incident response plans be developed well in advance of a threat because every second counts when a breach is actively occurring. Attacks can wreak more and more havoc with each passing moment, costing thousands of dollars and compromising critical data. The sooner it is stopped, the smaller the fallout.

Who is responsible for incident response?

Incident response typically falls under the purview of a pre-defined incident response team. Within the team, roles are assigned based on need. This team may consist of security analysts, IT managers, threat researchersrisk management advisors, legal representatives, and even external or third-party security experts.

In addition to enacting preventative measures such as resolving system vulnerabilities and enforcing security policies, the incident response team is responsible for developing a robust incident response plan. This plan should detail who will do what in the event of an attack. It’s important to assign roles based on availability so that the right people are able to take action no matter when an attack occurs.

6 best practices for effective incident response

As we mentioned above, incident response starts by having a plan. Here, we’ve outlined the necessary steps to follow when developing an effective incident response strategy.

1. Prepare systems and procedures

Preparation and planning go a long way during an active threat. Start by building your incident response team and having them prepare an incident response plan.

Building out your incident response team includes identifying who will take on what role during a threat based on schedules and skills. There should always be someone identified as the go-to person regardless of what time a threat occurs so that precious minutes aren’t wasted figuring out who to call.

Preparing an incident response plan may include building on existing incident response knowledge and should clearly outline what procedures to enact during a threat. It’s often advisable to break the plan down into different threat-specific playbooks that prescribe exactly what to do for each scenario. These playbooks should be regularly updated and made accessible to anyone who might need them at a moment’s notice.

2. Identify security incidents

Identifying security incidents is a two-part activity. The first part consists of identifying potential threats so that a plan of response can be developed in advance. The second part involves using appropriate tools and monitoring software so active incidents are identified in real-time, and mitigation can begin as soon as possible.

But identifying active threats isn’t always as easy as it sounds. It’s not like cybercriminals want to be found, after all. Often, the clues are indirect and come in the form of unusual usage patterns that require advanced software to identify. However, if identification is too sensitive, the incident response team may receive so many “false alarms” that they might overlook the real deal when it arrives.

3. Contain incident activities and attackers

During an active attack, the top priority is to contain the nefarious activities and the attacker to protect as much of your existing data and network as possible. This requires rapid triage to assess the severity and prioritize the most valuable and vulnerable assets. This may require shutting down certain systems or segmenting those portions of the network under attack. In essence, the goal is to stop the spread first and foremost before directly addressing the threat itself.

4. Eradicate threats and re-entry options

Once the threat is contained, the incident response team can then focus on eradicating it. This may involve identifying and deleting malware, applying updates and patches, deploying a more restrictive and secure configuration, and more. If the means of attack and the location of the vulnerability can be identified at this stage, then closing up any holes or back doors should also be a priority.

5. Recover from incidents

With the threat eradicated, it is then time to assess the fallout. If the response to the threat was robust and rapid enough, it’s possible that recovery is nearly instant. If data was stolen or held for ransom, however, there may be financial consequences and breach of compliance issues to address. Deleted, encrypted, or otherwise corrupted data may need to be restored from backups if available.

6. Educate and improve future incident response efforts

Each time there is a breach or a threat, it is an opportunity to learn from experience and apply it to future security efforts. For example, if a breach occurred due to an employee clicking a suspicious link or falling for a phishing attack, then educating all employees on how to identify such threats is judicious. Lessons learned from how the attack was mitigated can also be applied to existing incident response playbooks to improve these strategies and eliminate risks moving forward.

Top incident response frameworks

Various incident response frameworks have been generated by teams of experts to help organizations better prepare for and respond to attacks. Two of the most popular incident response frameworks are the National Institute of Standards and Technology (NIST) cybersecurity framework and Sysadmin, Audit, Network, and Security (SANS).


NIST is a branch of the U.S. Department of Commerce that’s been around for over a century. Its mission is “to promote innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.” To that end, NIST developed a cybersecurity framework that organizations can use to mitigate risk and make use of the latest advances in cybersecurity.

The NIST cybersecurity framework provides accessible guidance based on existing standards and best practices. This guidance is designed to be adaptable to a variety of technologies, lifecycle phases, and sectors. It consists of a cycle of five phases: identify, protect, detect, respond, and recover.


SANS is a private cooperative launched in 1989 with the goal of educating cybersecurity professionals. The organization offers classes and certifications which promote the latest skills and information about cybersecurity practices. The SANS cybersecurity framework is similar to NIST, but consists of six phases: preparation, identification, containment, eradication, recovery, and lessons learned.

Incident Response with SecurityScorecard

With the acquisition of LIFARS, SecurityScorecard Incident Response and professional services enable businesses to take immediate action towards identifying, resolving, and mitigating future risks. The initial 24 hours after a breach is vital. With SecurityScorecard, your business can take advantage of our 24/7 services where we will find the root cause and eliminate it. From there, our digital forensics team discovers all compromised information, giving you the information you need to take the necessary next steps. The sooner an incident is reported, the better. Learn how SecurityScorecard can help you respond to future threats and request a demo today.

Sign Up Free Trial Threats