Skip to main content

Skillber v1.0 is here!

Learn more

Incident Response

Checking access...

Incident response (IR) is the structured approach to managing and resolving security incidents. When detection identifies a potential threat, incident response determines the scope, contains the damage, eradicates the adversary, and restores normal operations. Effective IR can mean the difference between a minor disruption and a catastrophic breach.

According to the 2024 Ponemon Cost of a Data Breach Report, organisations with a formal incident response team and tested IR plan save an average of $2.66 million per breach compared to those without. Yet only 39% of organisations have a formal IR plan that is tested at least annually.

Core Concepts

The IR Lifecycle (NIST SP 800-61 Rev 2)

The NIST framework defines four phases of incident response that form a continuous cycle:

Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity

Each phase feeds into the next, and lessons learned from post-incident activity improve preparation for future incidents.

CSIRT Models

ModelDescriptionBest ForExample
Internal CSIRTDedicated in-house IR teamLarge enterprises, critical infrastructureMajor bank IR team
Outsourced CSIRTMSSP/MDR provider handles IRSMBs, orgs without in-house securityCrowdStrike Falcon OverWatch
Hybrid CSIRTInternal team + external augmentationMid-large enterprisesInternal L1-L2 + external L3/MDR
Coordinating CSIRTCoordinates response across multiple orgsISACs, governmentFS-ISAC, CERT/CC

Module Pages

PageCovers
IR LifecycleNIST SP 800-61 deep dive — Preparation, Detection, Containment, Eradication, Recovery, Post-Incident. Real: Mandiant + SolarWinds case study
IR PreparationBuilding the IR plan, roles, communication plan, playbooks, tools, tabletop exercises. Phishing playbook excerpt
Containment StrategiesImmediate, network, cloud, and host containment. AWS Lambda auto-containment. Real: Colonial Pipeline containment
Digital ForensicsForensics methodology, order of volatility, tools (FTK Imager, Autopsy, Volatility, dd). Chain of custody
Malware AnalysisStatic and dynamic analysis, YARA rules, sandboxing (Cuckoo, ANY.RUN), reverse engineering (Ghidra). Real: TrickBot analysis
Ransomware ResponseStep-by-step ransomware response. Colonial Pipeline case study ($4.4M ransom). Identifying ransomware strains
IR Lab (Tabletop Exercise)Hands-on — Conduct a tabletop exercise. Spear-phishing → QuasarRAT → ransomware scenario. Call tree, evidence collection, communication templates
FlashcardsTest your knowledge

Key Takeaways

By the end of this module, you should understand the full incident response lifecycle, be able to build and execute an IR plan, apply containment strategies across on-premises and cloud environments, collect forensic evidence following chain of custody, and respond effectively to ransomware incidents. The tabletop exercise lab will give you practical experience in IR decision-making under pressure.