Autor: EC-Council • 4. märts 2021

Mis on intsidentidele reageerimise elutsükkel? Kõik, mida peaksid teadma! (English below)

Intsidentidele reageerimine on küberrünnakutele metoodiline reageerimise plaan. Mitte iga küberturvalisuse juhtum ei vaja uurimist, kuna need pole alati tõsised.

EC-Council blog

Teatud sündmused, näiteks üksik sisselogimise ebaõnnestumine töötaja arvutis ei vaja põhjalikku uurimist, kuna see pole suur probleem. Samas kui alustatakse uurimist, tuleb kõigi tegevuste üle arvestust pidada.

Intsidentidele reageerimise elutsükli ja selle raamistiku tundmaõppimine aitab teil ja teie organisatsioonil mõista tundliku teabe kättesaadavust, võimaldades seeläbi rikkumisi ennetada ja ohte leevendada, harides teisi ja tuvastades haavatavusi.

Mis on intsidentidele reageerimise elutsükkel? Loe edasi EC-Councili artikli inglisekeelset osa.


Incident response is a plan for methodically responding to a cybersecurity incident. Measures are taken to rapidly contain, mitigate, and learn from the harm if an event is nefarious.

However, not every cybersecurity incident requires an investigation as they are not always serious. Certain events such as a single login failure by an employee on site does not need an in-depth investigation as it is not a major issue. However, it is important to keep a record of all these instances for future investigations.

Learning about the incident response life cycle and its framework will help you and your organization understand the accessibility of sensitive information, thereby allowing you to prevent breaches and mitigate threats by educating others and identifying vulnerabilities.

What Is Incident Response Life Cycle?

The incident response life cycle is a step-by-step process undertaken by a company to detect and respond to a service interruption or security threat. It is imperative to have an incident response plan in place to ensure data protection, avoid a breach of information, and protect the organization from being infiltrated.

Incident Response Plan Steps

It is always necessary to be prepared for a data breach incident as these days it has become a very common phenomenon. Incident response can be stressful when a vital asset is involved and you know that there is a potential danger. Incident response measures help in effective containment and recovery in these intense, high-pressure conditions. Response time is important for damage prevention; so, it is best to formulate certain incident response plan steps.

There are two institutes whose incident response management steps have become industry standards: NIST and SANS.

NIST Incident Response Process

NIST is an acronym for the National Standards and Technology Institute. It is a government agency that functions in various technical domains like cybersecurity. It is popular for its incident reaction measures, the steps of which are:

1.Preparation: Develop and implement necessary methods to protect critical infrastructure.

2.Detection and analysis: To keep a regular check on systems, information assets, data, and operations, and manage security risks successfully.

3.Containment, eradication, and recovery: To restore affected systems in minimal time.

4.Post-incident activity: To take the necessary steps to avoid such incidents.

SANS Incident Response Process

The SANS Institute is a private organization founded in 1989 which offers information security research and education. It is the largest security training and certification provider in the world, and holds the largest collection of cybersecurity studies.

Its incident response plan is as follows:

1.Preparation: An organization’s security policy is reviewed and codified, a risk assessment is carried out, sensitive assets are identified, critical security incidents are established, and a Computer Security Incident Response Team is formed (CSIRT).

2.Identification: IT systems track and identify deviations from standard activities and see if they constitute real safety incidents. Gather additional information when an occurrence is detected, assess its form and severity, and log everything.

3.Containment: Perform short-term containment by isolating the portion of the network that is under threat. Then, the focus is on long-term containment, which requires temporary adjustments to allow systems to be used in production while rebuilding clean systems.

4.Eradication: Remove malware from all infected devices, acknowledge the root cause of the attack, and take steps in the future to avoid similar attacks.

5.Recovery: To avoid further attacks, put the affected production systems back online. To ensure that they are back to normal operation, test, check, and track the affected systems.

6.Lessons learned: Conduct a retrospective of the incident no later than two weeks after the conclusion of the incident. Prepare the full incident documentation, further investigate the incident, understand what was done to contain it, and whether anything could be enhanced in the incident response phase.

What Is the Difference Between NIST and SANS?

The framework and steps of both NIST and SANS are similar to each other in most ways, barring a few differences:

•NIST is a voluntary framework for all the companies seeking to reduce their overall security risks and threats, whereas SANS is for organizations who want priority-based results on their security response. They are mostly found in the IoT domain.

•As mentioned earlier, the incident response steps of both the frameworks are mostly similar, barring one step which is containment, eradication, and recovery. NIST views the process of containment, eradication, and recovery as a single step having multiple components whereas SANS views them as independent steps.

What Is an Incident Response Plan?

An Incident Response Plan is a must in any organization to secure their data from attacks; it is a group of instructions and procedures used to detect, prevent, and recover from cyberattacks. An organization implementing an incident response plan undergoes a detailed investigation of the target’s incident. It is a response to data leakage, breaches, and data thefts in the entity.

Why Is an Incident Response Plan Important in an Organization?

An organization must implement an incident response plan to avoid data breaches because attacks are widespread when working under networks. Under the high pressure of an attack, an Incident Response plan is the perfect choice to get back to normal after attacks.

The organization should handle the response in an organized manner, as if it fails to do so, the incident could affect its reputation and credibility. Threats are challenging to the organization; if the network is attacked, they can be debilitating for the business, losing both data and functionality.

What Are the Steps in an Incident Response Plan?

There are five significant steps that every response program should cover to effectively address the wide range of security incidents that a company could experience.


Preparation is essential for a successful incident response plan. It’s good to have a standard procedure to handle incidents, as the cybersecurity incident response team cannot effectively respond to incidents without pre-planned decisions.

oEducate employees about the data breaches and their role in the incident response plan.

oPerforming mock data breaches in the organization can help employees understand the type of breaches and effectively respond to them.

oIncident response should have training implementations and performance reviews.


This process aims to monitor the systems and network events. Install CTL (Cyber Threat Intelligence) capabilities to monitor and identify incidents continuously.

Take the following points into consideration after an incident has been identified:

oUnderstanding the type of incident, whether it is network-related or software-related.

oHow the incidents can impact the internal infrastructure or services


Containment is an important stage in response to events. It is primarily dependent on Indicators of Compromise (IOCs) and intelligence information collected during the analysis process. The motive is to stop the present incident from causing further damage. Therefore, the security team should take risk-mitigating measures such as:

Short-term measures: Shut down systems, disconnect services, and applications.

Long-term measures: Upgrading security as required and approving access credentials.


At this stage, the security team must find the root cause of the incident.

It implies eliminating threats and all malware from infected networks and software and take preventive measures to avoid and overcome similar attacks in the future by patching and securing the systems. Updating older versions of a software is one way of eradicating malware from infected systems.


The last stage is to ensure that no further incidents occur and restore the organization to regular services based on CSIRT information. This includes cleaning the systems, backing up the data, and monitoring whether the breaches are entirely resolved by reconstructing them. Also, incorporate monitoring into the affected systems.


The threat intelligence and CSIRT teams should make an incident response report after the incident is resolved and record all the information that may help avoid future attacks.

oUpdate threat intelligence feed-in to the organization.

oCreate measures that prevent incidents.

Business should make an incident response report of every move taken during the response to help avoid further attacks and further strengthen the devices and organization from future attacks.

How to Write an Incident Response Plan?

•Decide the network’s key components and prioritize them

It’s better to prioritize your organization’s assets, whether it’s consumer information or essential software being secured. Operational networks are complex to handle, so decide important systems and data and prioritize their location. Rank them in order so that you understand what needs to be secured first.

•Addressing single point of failures in the network

Always maintain an alternative plan when it comes to your network. In this step, take hardware, software, infrastructure, and staff roles and order them according to ranking. If any of these are compromised or fail, it could damage the entire organization’s productivity.

oMaintain incident response and operations in progress that minimize damages.

•Develop a business continuity plan

At the time of a security breach, systems can be disabled and inactive to access, so build infrastructure with virtual private networks (VPNs) and secure web gateways so that employees can work without any risk. Always maintain a cybersecurity incident response team in the background.

•Create and maintain an incident response team and plan

Prepare a detailed incident response plan and ensure that everyone in the organization knows their duties and responsibilities.

The incident team has the task and responsibilities list.

1) Implementing a proactive incident response plan,

2) Testing and resolving device vulnerabilities.

3) Preserving strong security best practices

oMaintain a record of tools, technologies, and resources that should be in use.

oThe incident response team must have managers who implement the incident response plan and data backups.

•Everyone in the organization should be trained.

The incident response plan is not for a set of people, team, or IT. However, everyone in the organization should be prepared and responsible for quickly addressing incidents that minimize downtime in responding to them. Employees and the IT team should work together to reduce the frequency of incidents occurring, helping the organization from falling at risk.

Free Templates for Incident Response Plan

For building an effective incident response plan, use templates that are simple to use as you can customize them according to your organization and fill those processes in detail.

You can download a few templates below for free to start preparing your plan.

•Hycotic Template for Incident Response

Created by Thycotic, this template has main sections on

oResponsibilities and roles of employees

oContent details

oIncident response

oStages and actions taken

oIncident identification



This template contains models covering ransomware, phishing, data breaches, and unauthorized access, mapped to incident response.

•California Government Department of Technology Incident Response Plan Template

If you’re looking for detailed plans of incident response, this template has a 17-step protocol, especially for malware and device failures.

•I-Sight Incident Response Template

I-Sight’s template has sections such as:

oScope of incident response

oIncident response examples and definitions

oEmployee role and responsibilities

oStages in incident response plan

What Is Incident Response Management?

Incident Response Management is an organized strategy to handle and manage the aftermath of a data breach or cyberattack, often referred to as an IT/computer/security incident. The goal is to manage the situation in a manner that limits damage and reduces the recovery time and cost.

A well-trained incident response team is the key to identifying and mitigating these threats, and companies are always on the lookout for well-qualified candidates. Becoming a certified professional in this field will increase your employability as employers seek folks who can handle these responsibilities from the get-go. Organizations often train in-house talent with certification programs as well, thus saving their time and boosting the company’s overall security profile in the process.

The Certified Incident Handler (ECIH) program by EC-Council has been designed in cooperation with experts in cybersecurity and incident handling and response worldwide. ECIH is a comprehensive incident management program at the professional level that imparts the expertise and information organizations need to mitigate the effects from both a financial and reputational viewpoint when managing any incident.

Original blog post:

Next ECIH Programm will start 25. - 27.10.2021. Read more!