Nov 3, 2020


Incident Response Life Cycle

What is the Incident Response Lifecycle?

With COVID-19 forcing businesses around the globe to shift to remote work, the cybersecurity landscape has changed significantly.

Consequently, the complexity of protecting corporate infrastructure grew tenfold. It is complicated enough to instate impenetrable protection and incident response lifecycle when all the company employees work from the office — but it becomes a nightmare when working remotely.

However, it seems that working from home is here to stay even after the lockdowns get lifted. Thus, businesses ought to prepare to live in the new reality of ensuring cybersecurity for environments with vast surfaces susceptible to attack. In order to do this, they should dynamically secure and track multiple external endpoints and connections.

However, this situation is old news for seasoned cybersecurity professionals. They simply add more routine checks to a cyber incident response plan in place in their companies and continue working as usual. But what do you do if you don’t have a security incident response plan yet?

Read on to learn what that plan is, what are the stages of the NIST incident response lifecycle, as well as how to properly implement it.

NIST Incident Response Lifecycle stages

First of all, why do we talk about a cycle here? Cybersecurity professionals know that it is not a question of WHETHER a data leak, system security breach, or service shutdown will happen — it is a question of WHEN. Realizing you need an effective incident response program for incident closure in the middle of an incident is a rude awakening for any business.

Therefore, a good practice is to prepare in advance by instating incident response procedures, performing red-blue training exercises, fake data breaches, and penetration testing services. Your team must go through the workflows and look for intrusions as actual incidents occur. Adjusting the incident management process and incident closure has to be based on both findings of the training and the outcomes of actual accidents. 

NIST (the National Institute of Standards and Technology) is the largest and most trusted provider of standards and procedures for the IT industry. It maintains and constantly updates a huge database of known incident categorization, code vulnerabilities, viruses, and other cybersecurity threats, as well as develops security incident resolution procedures for discovering and remediating them.

The NIST incident response lifecycle consists of 4 stages:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Recovery
  • Post-incident activity

Pay attention that it’s really a cycle and not a linear process, as there are 2 important rules:

  1. The output of the second stage is the input for the third stage (and vice versa).
  2. The output of the fourth stage is the input for the first stage.

This way, your incident management lifecycle is being constantly revised and updated using the latest findings in order to keep your team on the same page and timely react to new threats.

Let’s get a detailed breakdown of what is happening at each stage.


This makes by far the longest and most important stage of the incident response lifecycle, as forewarned is forearmed.

It involves the following steps:

  • Establishing which of the existing mission-critical digital assets can become the breach targets, and the cybersecurity controls that can be deployed for them.
  • Assessing the existing employee and stakeholder roles during an incident or assigning them if none are in place yet; Forming shifts of employees responsible for every role and providing 24/7 coverage of the workplace.
  • Instating various incident monitoring and response alerts, toolchains, and controls. Assigning incident prioritization — from low and medium to high and critical. 
  • Training (continuous drilling and procedure compliance checks) to ensure the incident management process is completely understood and well-known. During the incident your team will not rise to the height of your expectations — it will fall to the level of their preparedness. Thus, preparing in advance is crucial.

    A well-documented and effective incident response plan with clear incident categorization, incident prioritization and step-by-step instructions for handling an incident and incident closure will help your incident response team avoid making critical mistakes in the case of attack.
  • Include an actionable incident management process flow.

    The reader should have a step-by-step guide for handling an incident, with flowcharts and checklists.
  • Define the incident categorization.

    Incidents of low or medium severity don’t require the same focus or resources as those considered to be critical to the mission. Thus, your team should be able to define incident prioritization, identify the incident severity and handle it by the playbook. 
  • Establish clear communication channels.

    If the team identifies a high-priority threat, they should have clear instructions on how and when to escalate the information to appropriate stakeholders to form a proper incident response unit.
  • List the stakeholder roles and responsibilities.

    Every business stakeholder must be fully aware of their roles during handling an incident. The incident response plan must include relevant people from other departments, not only the core IT team. For instance, the PR must make a statement, and marketing might need to pause the campaigns while the systems are shutdown; HRs should inform the employees, legal must deal with the possible consequences, etc.
  • Compile detailed playbooks.

    Preparing on-point guidelines for handling repetitive low- and medium-priority incidents will help reduce the toil significantly. Forming a general incident management process flow for dealing with major cybersecurity threats and service disruptions requires a clear understanding of the goals.
  • Integrate the incident response plan with other organizational plans.

    Your company has to remain as operational as possible even during the worst cybersecurity incidents. Workflow continuity, crisis management, and recovery plans must also be in place and interconnected to enable seamless handling of the situation as well as prevent obstruction of the business.

    One of the key factors contributing to the success of this stage is the complete buy-in of the cybersecurity initiatives from the managerial body, as money spent on security is never wasted — they help contain the security breach when it does happen and prevent financial losses and reputational fiascos for your business.

Detection and Analysis

Quite often the first signs of cybersecurity breaches can be detected as soon as basic infrastructure monitoring is performed.

If your organization uses more than 50 workstations and runs more than a couple of servers — your infrastructure might already be infected with Trojans, malware, spyware, and other malicious tools.

According to the recent IBM report on cybersecurity, the average period of system breach detection in 2019 was 206 days, and it took 73 more days on average to contain and remediate the threat. With a well-established process of detection and analysis, this period could be much shorter This means that, if there is no security incident response program in place, hackers can have nearly a year of access to your systems and data before you can really do anything about it.

These are the essential components of incident detection and analysis:

  • Network monitoring.

    Monitoring the activity of your users and devices within your network is essential for building a solid cybersecurity protection. However, most of the controls like corporate firewalls or Intrusion Detection Systems are now hamstrung, as with the lockdowns the centralized corporate infrastructure protection and monitoring systems became non-effective.
  • Endpoint monitoring.

    Modern antivirus and monitoring systems harness the power of behavioral big data analytics to discover infected devices when they connect to the corporate network. This helps safeguard your digital assets and fill the cybersecurity gap created by the rise of remote office connections.
  • Dark web monitoring.

    If your systems are already compromised (remember, it might take almost a year before you can notice it), your system access credentials and business-critical information might be already available for sale on the dark web. Cybersecurity experts can monitor this market to inform you if such a threat arises and prepare ways to remediate it.

    Alerting is also an essential component of timely incident response procedures. This helps identify malicious activity quickly, stem the panic, and reduce the time before the containment and mitigation of the attack.

Containment, Eradication, and Recovery

The most important thing to realize about this stage is that it can have multiple input-output cycles with the Detection and Analysis within a single incident response timeline.

Your team members will make some actions that can have a positive (or negative) impact on handling the attack and will have to monitor the system response to their actions. 

Should they wait for confirmation of each action from their superiors, valuable time could be lost and the malicious breach might succeed. However, if every team member does what they want and the stakeholders aren’t informed about  what is being done — the result would be chaotic and potentially disastrous.

This is why it is important to have an ingrained muscle memory and clear incident response workflow understanding from multiple attack simulations. It helps the incident response team keep a cool head under pressure and avoid making critical mistakes.

Clearly defined communication channels and reporting procedures will keep the management in the loop of the situation, so they make informed decisions. It will also allow them to issue commands without majorly disrupting the efforts of the cybersecurity team that deals with containing and eradicating the threat.

Post-incident activities

While putting the nightmare behind you as quickly as possible might seem the best solution once the normal operations are restored, this is not the case.

You should go through the whole process again and again in an attempt to learn from your mistakes, look for root causes of the attack, and discover room for improvement in your incident response procedures.

You should also gather feedback from all stakeholders and incorporate the results of the incident analysis in the post-mortem. This way, your organization will come out of the storm stronger than before and will be able to handle future potential incidents better.

It can also be quite useful to employ the services of external incident response forensics. Having resolved a multitude of incidents in various market sectors and industries, they will provide invaluable insights on the way your team handled the cybersecurity incident and possible improvements of the process. This will help strengthen your response to incidents in the future and adapt your cyber incident response plan accordingly.


Now you should have gotten a solid understanding of the stages of the incident management lifecycle, the reasons to have it, and the best practices for designing and implementing your cybersecurity incident response program to resolve the incident.

Understanding the Incident Response Life Cycle is crucial for organizations to effectively mitigate and respond to security incidents. In a recent interview for SafetyDetectives, Andriy Hural, Director of Managed Detection and Response (MDR) at UnderDefense, highlights the significance of incident response planning, shares insights on the main services, and offers valuable guidance on adopting effective cybersecurity practices.

Should your company need help with building a cybersecurity incident response program — UnderDefense is here to help you.

We can evaluate your cybersecurity profile and provide tailored recommendations on how to minimize your potential attack surface and tighten your cybersecurity measures.

Speak to a cybersecurity expert today to safeguard your business!

About the author

Recent Posts

Ready to protect your company with Underdefense MDR?

Related Articles

See All Blog Posts