enespt-br
Glossary

Incident Response

The coordinated process of detecting, containing, investigating, and recovering from security incidents and cyberattacks.

Definition

Incident Response (IR) is the systematic process of handling and recovering from security incidents. Rather than firefighting, mature organizations have documented IR plans and trained teams.

Incident Response Phases

Preparation

  • Develop IR plans and playbooks
  • Train response teams
  • Implement detection systems
  • Establish communication channels

Detection & Analysis

  • Identify that an incident has occurred
  • Determine scope and nature
  • Alert stakeholders
  • Begin investigation

Containment

  • Prevent further damage
  • Stop attacker from moving laterally
  • Preserve evidence
  • Short-term containment (isolate affected systems)
  • Long-term containment (patch vulnerabilities)

Eradication

  • Remove attacker from systems
  • Close the vulnerability they exploited
  • Verify they’re completely gone
  • Prevent re-infection

Recovery

  • Restore systems to normal operation
  • Verify systems are clean
  • Monitor for signs of re-compromise
  • Return to business as usual

Post-Incident Activities

  • Forensic analysis
  • Root cause analysis
  • Lessons learned
  • Update incident response plans
  • Improve detection and prevention

Incident Response Playbooks

Effective IR teams have documented playbooks for common incident types:

  • Ransomware Incident Playbook – Specific steps for responding to ransomware
  • Data Breach Playbook – Steps for investigating and containing data theft
  • Insider Threat Playbook – Steps for responding to malicious insiders
  • Supply Chain Compromise Playbook – Coordinating with vendors and customers

Each playbook includes roles, communication templates, and decision trees.

The Role of Threat Intelligence

Threat intelligence accelerates incident response:

  • Threat Actor Attribution – “Is this APT28 or a copycat?”
  • Expected TTPs – “What techniques will this actor likely use next?”
  • Detection Gaps – “What should we hunt for that might have evaded automated detection?”
  • Threat Context – “How urgent is this incident given current threat landscape?”

Organizations with mature threat intelligence respond faster and better than those without.

See Also

Related Terms

Threat IntelligenceThreat HuntingMITRE ATT&CK