Skip to content
Home
Incident Response: Detection, Containment, and Recovery

Incident Response: Detection, Containment, and Recovery

Security Security 8 min read 1501 words Beginner ExcellentWiki Editorial Team

Security incidents are inevitable. The question is not whether your organization will experience a breach, but how well you will respond when it does. According to the IBM Cost of a Data Breach Report 2025, organizations with established incident response (IR) teams save an average of $1.76 million per breach compared to those without, and contain incidents 54 days faster. This guide follows the NIST SP 800-61 Revision 3 framework — the gold standard for incident response — covering preparation, detection and analysis, containment and eradication, and post-incident recovery.

Preparation — Building the IR Capability

Preparation is the most critical phase. Without trained personnel, documented procedures, and validated tools, response will be chaotic and ineffective.

Incident Response Team Structure

The NIST framework recommends a tiered team structure. Tier 1 — the initial triage team — monitors alerts from SIEM, EDR, and IDS systems, performs initial classification, and either resolves low-severity incidents or escalates. Tier 2 — incident handlers — conduct deep forensic analysis, containment, and eradication for confirmed incidents. Tier 3 — subject matter experts (SMEs) — provide specialized support for cloud forensics, malware reverse engineering, and legal/compliance matters. The team must have 24/7 coverage: the 2025 SANS Incident Response Survey found that breaches detected off-hours cost 35% more to remediate.

Playbooks and Runbooks

Playbooks define the high-level incident response strategy for each incident class (ransomware, data exfiltration, account compromise, DDoS). Runbooks provide step-by-step technical procedures. For example, a ransomware runbook includes: isolate the affected host by disabling the network port; preserve memory and disk forensics via EDR acquisition; identify the ransomware strain via file hashes (VirusTotal, ID Ransomware); determine encryption scope; and execute the communication plan (legal, PR, executive). The Mitre ATT&CK framework maps each procedure to adversary techniques (T1486 for data encrypted for impact), enabling post-incident gap analysis.

Tooling and Infrastructure

Essential IR tooling includes: SIEM (Splunk, Sentinel, ELK); EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint); network detection (Zeek, Suricata); forensic acquisition (FTK Imager, LiME for Linux memory, Volatility); and secure communication channels (out-of-band Slack/Teams, encrypted email). All tools must be tested in tabletop exercises before an actual incident.

Detection and Analysis

Detection is the intersection of visibility and rule quality. You cannot detect what you cannot see.

Detection Engineering

Effective detection starts with visibility: centralized logging from endpoints, network devices, cloud APIs, and identity providers. The logging strategy must follow NIST SP 800-92: log sources, retention periods (minimum 90 days for standard logs, 1 year+ for security events), and protection against log tampering (write-once storage, cryptographic signing). Detection rules (Sigma, KQL, YARA-L, Splunk SPL) map to Mitre ATT&CK techniques. A rule detecting credential dumping (T1003) might alert on lsass.exe process access from a non-system process.

Alert Triage

Not all alerts are incidents. Triage determines priority based on: affected asset criticality, indicator reliability, and exploitation likelihood. The common triage pyramid: tens of thousands of raw events → hundreds of alerts → dozens of confirmed incidents. The SANS Critical Security Controls recommend triage SLAs: critical alerts within 15 minutes, high within 1 hour, medium within 4 hours.

Evidence Collection

Chain of custody is crucial for legal admissibility. Each evidence artifact must be labeled, timestamped, hashed (SHA-256), and tracked in an evidence management system. Memory acquisition should occur before disk analysis — volatile data (RAM contents, running processes, network connections) disappears on power loss.

Containment, Eradication, and Recovery

Speed of containment directly correlates with breach cost. The 2025 IBM report found that breaches contained within 24 hours saved $1.2 million on average.

Short-Term Containment

Short-term containment stops the bleeding. For a compromised endpoint: disable the network interface, suspend the user account, and isolate the device via EDR network containment. For a cloud IAM compromise: revoke temporary credentials, rotate affected access keys, and disable the compromised user in the IdP. For ransomware: implement ACLs on file shares to prevent encryption propagation, block known ransomware C2 domains at the firewall, and trigger failover to clean backups.

Long-Term Containment and Eradication

Long-term containment applies temporary compensating controls while eradication proceeds. Eradication removes the root cause: reformatting compromised systems and restoring from verified clean backups; revoking and reissuing all certificates and keys touched by the attacker; applying security patches for the exploited vulnerability; and resetting all user passwords in the affected domain.

Recovery

Recovery restores business operations. Move restored systems into production gradually, monitoring closely for signs of persistent access. Validate backup integrity through test restores. Phase returns: start with non-critical systems, verify telemetry is clean, then promote critical systems. The recovery time objective (RTO) defined in your business continuity plan guides prioritization.

Post-Incident Activity

The post-incident phase transforms a security failure into organizational learning.

Root Cause Analysis

RCA determines how the attacker gained initial access, lateral movement paths, privilege escalation chain, data accessed, and exfiltration method. The “5 Whys” technique iteratively digs deeper: Why did the phishing email bypass the gateway? Because the gateway’s AI model had not been trained on this variant. Why had the model not been updated? Because the update cycle is quarterly. RCA outputs feed directly into control improvements.

Lessons Learned Meeting

The post-mortem meeting includes all stakeholders: IR team, affected business unit, IT operations, legal, and executive leadership. Review the timeline: detection time, response time, containment time. Identify what went well and what needs improvement. Update playbooks, detection rules, and training based on findings. The NIST framework emphasizes that the post-mortem should be blameless — systems and processes failed, not people.

Metrics and Reporting

Track IR metrics to demonstrate program maturity: mean time to detect (MTTD), mean time to respond (MTTR), mean time to contain (MTTC), and mean time to recover (MTTR). Report quarterly to leadership with trend comparisons. The SANS IR Maturity Model provides a 1-5 scale for capability assessment.

Cloud Forensics

Cloud incident response requires different forensic procedures than on-premises environments. You cannot image a physical machine in AWS or Azure - the provider controls the hypervisor.

Forensic Data Sources

Cloud forensic data sources include: CloudTrail (AWS API logs), Azure Activity Log, GCP Cloud Audit Logs, VPC Flow Logs (network traffic metadata), EBS snapshots / Azure disk snapshots / GCP persistent disk clones, and memory acquisition via EDR agents or cloud-native memory capture (AWS Nitro Enclaves). Time synchronization is critical - correlate events across CloudTrail timestamps (UTC), OS system logs, and application logs. The AWS Forensic Methodology whitepaper recommends preserving snapshots through automated tagging and cross-region replication before initiating containment actions.

Forensic Acquisition Workflow

Preserve evidence before containment actions that might destroy data. The cloud forensic workflow: 1) enable all logging (CloudTrail, GuardDuty, VPC Flow Logs, DNS logs) before containment; 2) snapshot affected volumes with descriptive tags (case number, date, collector name); 3) capture memory via EDR or cloud provider tools (AWS SSM RunCommand with LiME, Azure Run Command with winpmem); 4) isolate the instance using security group modifications rather than termination (termination destroys evidence); 5) replicate encrypted snapshots to a forensic analysis account in a different region. Chain of custody in cloud forensics requires documenting: AWS account ID, region, instance ID, snapshot ARN, IAM role used for access, and timestamps for every action taken.

Ransomware-Specific Response

Ransomware requires specialized procedures. Upon detection: 1) initiate immediate containment — disable SMB (port 445), block known C2 domains at the firewall, disable AD replication to prevent encryption propagation. 2) Identify the variant through ransom note analysis, file extensions, and hash matching (VirusTotal, ID Ransomware). 3) Determine encryption scope. 4) Activate communication plan — legal counsel, PR, executive leadership, law enforcement (CISA, FBI), and cyber insurance carrier. The 2025 Sophos State of Ransomware report found that organizations with IR retainers achieve 3x faster recovery. Backup integrity validation is critical — test restores before paying. Organizations using immutable backups (AWS S3 Object Lock, Azure Blob immutability, Veeam hardened repos) recover without paying 94% of the time.

FAQ

What is the difference between an event and an incident? An event is any observable occurrence in a system. An incident is an event that has negative consequences or poses a threat to the organization’s security posture. Not all events become incidents.

How often should we run tabletop exercises? Quarterly for core IR team members, semi-annually involving executive leadership and legal. After any major incident, run a targeted exercise covering the gaps identified.

What is the most important IR metric? Mean time to contain (MTTC). The 2025 IBM report shows a direct correlation between faster containment and significantly lower breach costs.

Should we pay ransomware demands? Law enforcement (CISA, FBI) strongly advises against paying. Paying funds criminal enterprises and does not guarantee data recovery — organizations that pay still lose access to 20% of data on average, per the 2025 Sophos State of Ransomware report.

What is chain of custody? A documented chronological record of evidence handling: who collected it, when, where, how it was stored, and who accessed it. Essential for legal proceedings and regulatory investigations.

For foundational security knowledge, start with our Security Guide. Learn how to identify vulnerabilities before they become incidents with Vulnerability Management. Proactively assess risks using Threat Modeling.

Section: Security 1501 words 8 min read Beginner 756 articles in section Report inaccuracy Back to top