What is Cybersecurity Incident Response Management and Best Practices


As cyberattacks continue to grow in volume, diversity and sophistication, in addition to being more disruptive and damaging, organizations must be prepared to handle them effectively. Cybersecurity incident response management


In addition to implementing effective security solutions and practices, they need the ability to quickly identify and address attacks , thereby ensuring minimal damage, disruption, and costs.


Every IT system is a potential target for a cyber attack, and most people agree that it is not a question of if, but when it will happen. However, the impact varies depending on how quickly and how effectively you address the issue, hence the need to be prepared to respond to incidents.


A cybersecurity incident response (IR) refers to a series of processes that an organization carries out to address an attack on its IT systems. This requires a combination of the right hardware and software tools, as well as practices such as proper planning, procedures, training, and support from everyone in the organization.

Best practices before, during and after security incidents Cybersecurity incident response management

When a cyberattack occurs, multiple activities can take place simultaneously, and this can be hectic when there is no proper coordination or incident handling procedures.

However, preparing ahead of time and establishing a clear and easy-to-understand incident response plan and policies allows security teams to work in harmony. This allows them to focus on critical tasks that limit potential damage to their IT systems, data, and reputation, as well as avoiding unnecessary business interruptions.

Prepare an incident response plan

An incident response plan documents the steps to take in the event of an attack or any other security problem. Although the actual steps may vary depending on the environment, a typical process, based on the SANS framework (SysAdmin, Audit, Network and Security), will include preparation, identification, containment, elimination, recovery, incident notification and incident review.

incident response
Incident Response Process Flow (Based on NIST Template) NIST Image

Preparation includes developing a plan with relevant information and the actual procedures that the Computer Incident Response Team (CIRT) will follow to address the incident.

These include:

  • Specific teams and individuals who are responsible for each step of the incident response process.
  • Define what constitutes an incident, including what justifies what kind of response.
  • Critical data and systems that require more protection and safeguarding.
  • A way to preserve affected states of affected systems for forensic purposes.
  • Procedures for determining when and to whom to notify about a security problem. When an incident occurs, it may be necessary to inform affected users, customers, law enforcement personnel, etc. But this will differ from industry to industry and case to case.

An incident response plan should be easy to understand and implement, as well as aligned with other plans and policies of the organization. However, the strategy and approach may differ between different industries, teams, threats, and potential damages. Regular testing and updates ensure the plan is valid and effective. Cybersecurity incident response management

Incident response steps when a cyber attack occurs Cybersecurity incident response management

Once there is a security incident, teams must act quickly and efficiently to contain it and prevent it from spreading to clean systems. The following are best practices for addressing security issues. However, these may differ depending on the environment and structure of an organization.

Assemble or involve the IT incident response team

Make sure that the CIRT multidisciplinary team, internal or external, has the right people with the right skills and experience. From these, select a team leader who will be the focal person for giving direction and making sure the response goes according to plan and deadlines. The leader will also work hand in hand with management and especially when there are important decisions to be made regarding operations.

Identify the incident and establish the type and origin of the attack.

At any sign of a threat, the IR team must act quickly to verify if it really is a security issue, whether internal or external, while ensuring that it is contained as quickly as possible. Typical ways to determine when there is a problem include, but are not limited to: Cybersecurity incident response management

  • Alerts from security monitoring tools, malfunctions within systems, unusual behavior, unexpected or unusual file modifications, copies or downloads, etc.
  • Reports from users, system or network administrators, security personnel, or external external partners or customers.
  • Audit logs with signs of unusual user or system behavior, such as multiple failed login attempts, large file downloads, high memory usage, and other anomalies.

Varonis Automatic Security Incident Alert
Varonis Automatic Security Incident Alert

Assess and analyze the impact of the attack

The damage caused by an attack varies depending on its type, the effectiveness of the security solution, and the speed at which the computer responds. Most of the time, the extent of the damage cannot be seen until after the problem is fully resolved. The analysis should find out the type of attack, its impact, and the services that could have been affected.

It is also good practice to look for any traces that the attacker may have left and gather the information that will help determine the timeline of the activities. This implies analyzing all the components of the affected systems, capturing relevant for forensics and determining what could have happened at each stage.

Depending on the extent of the attack and the findings, it may be necessary to escalate the incident to the relevant team.

Containment, threat removal, and recovery

The containment phase includes blocking the spread of the attack and restoring systems to initial operational state. Ideally, the CIRT team should identify the threat and root cause, remove all threats by blocking or shutting down compromised systems, cleaning malware or viruses, blocking malicious users, and restoring services.

They must also establish and address the vulnerabilities that the attackers exploited to prevent future occurrences of the same. A typical containment involves short-term and long-term measures, as well as a backup of the current state.

Before restoring a clean backup or wiping systems, it is important to keep a copy of the state of the affected systems. This is necessary to preserve the current state, which can be useful when it comes to forensic analysis. Once backed up, the next step is to restore the interrupted services. Teams can accomplish this in two phases:

  • Check network systems and components to verify that they are all working properly
  • Recheck all components that were infected or compromised and then cleaned or restored to make sure they are now safe, clean, and operational.

Notification and complaint

The incident response team performs the analysis, responds and reports. They need to explore the root cause of the incident, document their findings on the impact, how they resolved the problem, the recovery strategy while passing the relevant information to management, other teams, users, and external vendors.

Communications with external agencies and providers
Communications with external agencies and providers

If the breach affects sensitive data that requires notification of legal authorities, the team should initiate this and follow the procedures set out in their IT policy.

Typically, an attack results in the theft, misuse, corruption, or other unauthorized activity of sensitive data such as confidential, personal, private, and business information. For this reason, it is essential to inform those affected so that they can take precautions and protect their critical data, such as financial, personal and other confidential information.

For example, if an attacker succeeds in accessing user accounts, security teams must notify them and ask them to change their passwords.

Conduct a post-incident review

Resolving an incident also offers lessons learned, and teams can analyze their security solution and address weak links to  prevent a similar incident in the future Some of the improvements include the implementation of better security and monitoring solutions for internal and external threats, informing staff and users about security threats such as phishing, spam, malware and others that they should avoid.

Other protection measures are running the latest and most effective security tools, patching servers, addressing all vulnerabilities on client and server computers, etc.

NIC Asia Bank of Nepal Incident Response Case Study

Inadequate detection ability or response can cause excessive damage and loss. An example is the case of NIC Asia Bank of Nepal, which lost and recovered some money after a trade process compromise in 2017. Attackers compromised SWIFT and fraudulently transferred funds from the bank to various accounts in the UK, Japan, Singapore, and the US.

Fortunately, the authorities detected the illegal transactions but only managed to recover a fraction of the stolen money. If there had been a better alert system, the security teams would have detected the incident at an earlier stage, perhaps before the attackers were successful in compromising the business process.

Since it was a complex security problem involving other countries, the bank had to inform law enforcement and investigative authorities. Furthermore, the scope was beyond the bank’s internal incident response team and thus the presence of external teams from KPMG, the central bank and others.

A forensic investigation by teams outside of your central bank established that the incident may have been due to internal negligence that exposed critical systems.

According to one report, the then six operators had used the dedicated SWIFT system computer for other, unrelated tasks. This may have exposed the SWIFT system, allowing attackers to compromise it. After the incident, the bank transferred the six employees to other less sensitive departments.

Lessons learned : The bank should have implemented a surveillance and alert system in addition to creating adequate security awareness among employees and enforcing strict policies.


Well-planned incident response, good equipment, and relevant security tools and practices give your organization the ability to act quickly and address a wide range of security issues. This reduces damage, service interruptions, data theft , loss of reputation, and potential liability.

Leave a Comment