In the previous blog, we covered the Preparation and Detection & Analysis phases of the Incident Response process, breaking down each step to understand its purpose and essential components. In this second part, we are going to explore the Containment, Eradication & Recovery, and Post-Incident Activity phases. Keep in mind that each of these stages plays a critical role when dealing with an incident: they help to minimize impact, restore systems, and implement improvements to strengthen future resilience. So, let’s get started… or should we say, let’s finish up the Incident Response process phases!
The containment, eradication, and recovery phase is where the majority of the work takes place to actually solve the incident.
The objective of the containment phase is to minimize the impact and stabilize the environment by isolating and quarantining the affected areas. So, one might think that when observing an incident, the immediate reaction should be isolating all affected hosts. Wrong, this is what you shouldn't do! Or at least, it shouldn't be the first reflection in all cases. Do you remember the incident response plan and assets list we discussed earlier? This is where they come into play once again. It is important to identify what to isolate, how and when to do it, and whom to contact, before taking any actions. The communication with the business is vital because as additional systems are taken offline, it's inevitable that productivity issues may arise. Below we listed some containment actions depending on your strategy and the level of damage the incident caused:
Again, containment works best when the incident response team knows its actions, its reference playbooks and checklists for guidance.
After successfully containing the incident, the next step is eradication: eliminating the root cause of the incident. Your main focus should be on identifying all affected hosts within the organization, removing and eradicating any remaining traces from the incident in the environment. Some key eradication actions, depending on your strategy, include:
If more affected hosts are discovered, it is essential to repeat the detection and analysis steps to ensure all impacted areas are identified, then re-apply containment and eradication measures. Eradication ensures that attackers no longer have access to the compromised systems or tools.
Following this is the recovery phase, which involves restoring your systems to normal operation and verifying that they are functioning correctly. This may involve tasks such as restoring systems from backups, rebuilding systems, changing passwords, patch vulnerabilities to prevent future incidents, and more.
These phases are critical, yes, we've emphasized this for nearly all steps of the Incident Response process, but it remains true ^_^. By containing the threat early, eradicating it completely, and ensuring a smooth recovery, organizations can protect their assets, restore their operations, and strengthen their defenses against future attacks.
Just as the saying goes “If you learned from it, then it wasn't a mistake. It was a lesson”, this is what this phase is for. Post-incident activity is the last stage in the incident response process. It consists of breaking down and examining in depth the incident that occurred, understanding its root cause, evaluating the response actions taken, as well as identifying vulnerabilities and procedural gaps that led to the breach. Simply, this analysis goes beyond containment of the incident, offering the SOC team valuable opportunities to learn from their mistakes and grow.
Typically, a lesson learned meeting should be conducted. According to NIST, the analysis should include the following questions:
The goal at the end of the session is to document what went well and what areas should be improved.
An effective incident response plan not only minimizes damage but also provides insights into security weaknesses and prepares the organization for future threats. By continuously investing in training, awareness, automation, and process refinement, organizations can stay agile and better prepared in the ever-evolving landscape of cybersecurity.
This approach ensures that organizations are equipped to respond swiftly and effectively to incidents, while simultaneously reinforcing their overall security posture for long-term resilience.
