Incident Response (IR) Process – “Old-Style”

  • admin
  • IR

Intro

Historically, cybersecurity teams relied on a linear, step-based Incident Response model—typically 6 to 8 stages. While still widely recognized, this traditional method is sequential, rigid, and slower to adapt to the speed of modern cyber threats. It followed a waterfall-style progression, often delaying containment and collaboration until late in the incident lifecycle.

Below is the traditional model for context:

1. Preparation

  • Establish policies, playbooks, and communication plans
  • Maintain detection tools (SIEM, EDR, IDS)
  • Train team members & run tabletop exercises
  • Maintain asset inventories and critical-system owners

2. Detection & Analysis

  • Monitor alerts, logs, threat intel, and user reports
  • Triage events for severity and scope
  • Collect forensic data
  • Classify incidents (malware, phishing, breach, unauthorized access, etc.)

3. Containment

  • Isolate affected hosts, accounts, or networks
  • Block malicious traffic
  • Apply temporary controls
  • Preserve evidence

4. Eradication

  • Remove malware or unauthorized changes
  • Patch vulnerable systems
  • Reset compromised accounts
  • Eliminate IOCs

5. Recovery

  • Restore from clean backups
  • Validate system integrity
  • Monitor for reinfection

6. Post-Incident Review

  • Document timeline and actions
  • Capture lessons learned
  • Update policies and controls
  • Report to leadership

Roles Within SIRT

  • Incident Response Manager: Leads and coordinates overall response
  • Security Analysts (Tier 1–3): Investigate alerts, perform triage and deep analysis
  • Forensic Specialist: Handles evidence preservation and data recovery
  • Threat Intelligence Analyst: Enriches investigations with intel and context
  • Communications Lead: Manages internal/external communications
  • IT/Infrastructure Liaison: Executes technical remediation actions
  • Legal/Compliance Advisor: Guides regulatory and breach-notification requirements

Objectives of the IR Process

  • Minimize impact on operations
  • Protect sensitive data and intellectual property
  • Restore normal functioning quickly
  • Ensure compliance with legal and regulatory requirements
  • Strengthen organizational security posture through continuous improvement