The 6 Stage Incident Response Process

Being prepared is the name of the game in incident response. A well thought out and organizing incident response process is a big step in preparation.

Luckily, the heavy lifting has already been done. There is an existing roadmap to follow in this security readiness journey. The two most common incident response approaches are from NIST and SANS. While they are slightly different, the similarities and overlaps make them nearly impossible to differentiate

SANS 6 Step Process

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

NIST 4 Step Process

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Recovery
  • Post-Incident Activity

For purposes of simplification, the two versions can be combined into the SANS format as follows:

  1. Preparation of the incident response team or an event
  2. Identification of an event, which includes detection and analysis
  3. Containment, gaining control, and preventing expansion of the event
  4. Eradication or complete removal of the offending issue
  5. Recovery, returning to a normal state of business
  6. Lessons Learned and other post-incident activities used to prevent and defend in the future

Steps 2 through 5 are heavily weighted toward technology solutions, while steps 1 and 6 are strictly focused on people and learning. In step 1 it is about the team learning how to deal with the potential event. Step 6 of lessons learned, or after-action reviews are designed specifically for improvement opportunities.

Most incident response systems and processes only focus on the technology components of an incident and pay little to no attention to preparation or lessons learned. An effective process is dedicated to incident response preparation and lessons learned.

Photo credit to Azamat E

If you need help thinking through this or other leadership challenges, let’s have a discussion to see if I can help in some way.

Scroll to Top