Incident Response Lifecycle

Module 03 · Incident Response

The Incident Response Lifecycle

When a breach happens, the difference between a contained incident and a catastrophic failure comes down to preparation and process. This presentation covers the NIST IR framework end-to-end.

Average time to identify a breach: 204 days. Average time to contain: 73 days. Structured IR cuts both numbers dramatically.

Phase 1

Preparation

Policy & Plans

Documentation first

Written IR policy, communication plan, escalation procedures. Define severity levels (P1-P4) with clear criteria and response SLAs.

Tooling & Access

Ready before you need it

Forensic workstations, log aggregation, pre-authorized credentials, out-of-band communication channels. Don't provision during a crisis.

Preparation is the only phase you control before the incident. Every hour invested here saves ten during response.

Phase 2

Detection & Analysis

Detection

Signal from noise

SIEM alerts, EDR detections, user reports, threat intel feeds. Correlate indicators across multiple data sources.

Triage

Classify severity

Is this a true positive? What assets are affected? What data is at risk? Assign severity and activate the appropriate response tier.

Analysis

Understand scope

Timeline reconstruction, IOC extraction, lateral movement assessment. Document everything in the incident ticket from minute one.

The biggest mistake in detection: alert fatigue. When everything is critical, nothing is.

Phase 3-4

Containment & Eradication

Short-term

Stop the bleeding

Network isolation, account disablement, firewall blocks. Quick actions to prevent further spread while preserving forensic evidence.

Long-term

Eliminate the threat

Patch vulnerabilities, remove malware, rebuild compromised systems from clean images. Verify all backdoors and persistence mechanisms are removed.

Critical balance: contain fast enough to limit damage, but don't tip off the attacker before you understand their full footprint.

Phase 5-6

Recovery & Lessons Learned

Phase	Actions	Key Metric
Recovery	Restore from clean backups, verify system integrity, phased reconnection to production	Mean time to recover (MTTR)
Monitoring	Enhanced monitoring of affected systems for 30-90 days post-incident	Recurrence rate
Post-mortem	Blameless review within 72 hours. Timeline, root cause, what worked, what didn't	Action items completed
Improvement	Update playbooks, retrain staff, patch process gaps, test fixes	Time to close action items

A post-mortem that doesn't produce measurable action items with owners and deadlines is just a meeting.

Building the Team

IR Team Structure

Core Team

Always on call

IR manager, security analysts (L1-L3), forensic investigator, threat intel analyst. 24/7 rotation with clear escalation paths.

Extended Team

Activated as needed

Legal counsel, communications/PR, HR, IT operations, business unit leaders. Pre-briefed on their roles and responsibilities.

External

On retainer

IR retainer with a DFIR firm, outside counsel, cyber insurance carrier, law enforcement contacts. Relationships built before the crisis.

Your IR team must include non-technical roles. Legal decides notification timelines. PR controls the narrative. HR handles insider threats.

Case Study

Maersk: NotPetya (2017)

On June 27, 2017, the NotPetya wiper malware destroyed 49,000 laptops, 3,500 servers, and the entire Active Directory infrastructure at Maersk, the world's largest shipping company.

Total damage: $300 million. Operations in 76 ports across 130 countries halted. The company was rebuilt from scratch in 10 days — only possible because a single domain controller in Ghana had been offline during the attack.

Key lessons: Maersk had no segmentation between IT and OT networks. The malware entered through a Ukrainian tax software update (supply chain attack) and spread via EternalBlue and credential harvesting.

The recovery required simultaneous reinstallation of 4,000 servers and 45,000 PCs. Staff worked around the clock using WhatsApp because email was down.

Tabletop Exercises

Practice before the real thing

Design

Scenario planning

Realistic scenarios based on your threat model. Ransomware, insider threat, supply chain compromise, data exfiltration. Inject curveballs mid-exercise.

Execute

Walk through decisions

Gather all stakeholders in a room. Present the scenario in phases. Force real decisions: do you pay the ransom? When do you notify the board? Do you call law enforcement?

Remember this

Run tabletop exercises at least quarterly. Rotate scenarios. Include executives — they make the hard calls during a real incident.

The goal isn't to test technical skills. It's to test decision-making, communication, and coordination under pressure.

1 / 8