Introduction
No matter how strong an organization's defenses are, security incidents eventually happen. Incident response (IR) is the structured, repeatable process a team follows to handle a security incident from the moment it is suspected until normal operations are fully restored and lessons are captured. Having a defined process, rather than improvising during a crisis, dramatically reduces damage, downtime, and confusion.
Cricket analogy: Even the best fielding side eventually drops a catch; incident response is the drill the team runs the moment that happens, from acknowledging the miss to recovering the ball and resuming play with a clear head.
Explanation
Widely used frameworks such as NIST and SANS describe incident response as a lifecycle with six standard phases, performed roughly in this order: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Preparation happens before any incident occurs and includes building an IR plan, assembling a response team, and deploying monitoring tools. Identification is the process of confirming that an event is actually a genuine security incident, often triggered by a SIEM alert or user report. Containment limits the damage, for example by isolating an infected machine from the network, and is often split into short-term containment (stop the bleeding immediately) and long-term containment (keep the business running safely while remediation continues). Eradication removes the root cause, such as deleting malware or closing the vulnerability that was exploited. Recovery restores affected systems to normal production operation and verifies they are clean before reconnecting them fully. Lessons Learned, sometimes called the post-incident review, documents what happened, how well the team responded, and what should change to prevent recurrence.
Cricket analogy: A team's structured response to a controversial umpiring decision mirrors IR phases: prepare a review protocol beforehand, identify the actual error, contain the fallout by staying composed, correct the record, resume play, and debrief afterward.
Example
Incident: Ransomware detected on finance-server-03
1. Preparation - IR plan and contact list already existed; backups tested monthly.
2. Identification - SIEM alert: mass file renames + ransom note file created.
3. Containment - Isolate finance-server-03 from network immediately (short-term);
reroute finance workloads to standby server (long-term).
4. Eradication - Remove malware, identify and patch the initial entry vector.
5. Recovery - Restore clean data from verified backup; monitor closely for 72 hours.
6. Lessons Learned - Root cause: unpatched RDP exposed to internet.
Action item: disable direct RDP exposure, add MFA.Analysis
The order of these phases matters. Jumping straight to eradication before containment could let an attacker regain access mid-cleanup, and skipping identification could waste the team's time chasing a false alarm. Just as importantly, the Lessons Learned phase feeds back into Preparation, making the cycle continuous rather than a one-time event: each incident should make the organization's defenses and response plan measurably better for the next one.
Cricket analogy: Rushing to declare a batsman 'not out' before reviewing the replay properly could cost the match, just as skipping identification in incident response wastes effort chasing a false alarm; each post-match review should improve the next game's preparation.
Key Takeaways
- The standard IR lifecycle has six phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
- Containment is often split into short-term (immediate) and long-term (sustained) actions.
- Eradication removes the root cause, while Recovery restores clean, verified systems to production.
- Lessons Learned closes the loop, feeding improvements back into Preparation for the next incident.
Practice what you learned
1. Which is the correct order of the standard NIST/SANS incident response lifecycle phases?
2. What is the primary goal of the Containment phase?
3. What distinguishes Eradication from Recovery in incident response?
4. Why is the Lessons Learned phase important?
Was this page helpful?
You May Also Like
Security Monitoring and SIEM
Learn how security teams use SIEM platforms to aggregate and correlate logs from many sources to detect anomalies and threats.
Vulnerability Management
Explore the continuous lifecycle of discovering, prioritizing, remediating, and verifying fixes for security vulnerabilities.
Malware Types
A guided tour of virus, worm, trojan, ransomware, and spyware — how each behaves and how defenders stop them.
Security Policies and Governance
Learn how policies, standards, procedures, and guidelines work together to govern an organization's security program.