What are the steps of an incident response plan?

There are six key phases of an incident response plan: 1. Preparation: Preparing users and security staff to handle potential incidents. 2. Identification: Determining whether an event qualifies as a security incident. 3. Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage. 4. Eradication: Finding the root cause of the incident and removing affected systems from the production environment. 5. Recovery: Ensuring no threat remains and permitting affected systems back into the production environment. 6. Lessons learned: Completing incident documentation, performing analysis to learn from the incident and potentially improving future response efforts.

Incident Response

Get Immediate Help from BlackBerry Cybersecurity Services

We can help—whether you're under cyberattack, need to contain a breach or want to develop an incident response plan. Report an incident or call us now at +1-888-808-3119.

Report An Incident View Services Card

What Is Incident Response?

Incident response is an organization’s approach to addressing cyberattacks and cybersecurity incidents. The goal of incident response is to contain and minimize damage caused by a breach and reduce recovery time and costs.

Incident response includes cyber incident response, data breach response, business email compromise response, ransomware response and digital forensics.

What Is an Incident Response Plan?

An incident response plan is an organization’s predetermined plan for addressing a cyberattack. An incident response plan should include a list of incident response team members with roles and responsibilities as well as tools and technologies, steps to detect and identify cyberattacks, steps to contain and minimize damage (including reputational damage) and processes for incident recovery.

How to Create an Incident Response Plan

The six steps of an incident response plan, according to the SANS Institute checklist, are:

Preparation: Train users and security staff to manage potential security incidents.
Identification: Determine whether an event qualifies as a security incident.
Containment: Limit the damage of a cybersecurity incident and isolate affected systems to prevent more damage.
Eradication: Find the root cause of the incident and remove affected systems from the production environment.
Recovery: Ensure no threat remains and permit affected systems back into the production environment.
Lessons learned: Document the incident, perform analysis to learn from the incident and update procedures to improve future incident response.

Are You Experiencing a Cyberattack or Suspect a Breach?

Call us. BlackBerry^® Cybersecurity Services is an incident response vendor that can help you mitigate the impact of any breach, ensure your recovery follows best practices and secure your IT environment for the future. Our cybersecurity experts provide answers to your questions so you can protect your IT environment during the current attack and defend against future cyberattacks.

How did the attacker get into my environment?
How did they move within the environment?
During what timeframe did the attack occur?
What networks, systems and data did they access?

What were the attacker’s actions and objectives?
Did the attacker exfiltrate (steal) data?
How can I minimize the risk of a future attack?

Get Help Now

Incident Response Best Practices

Watch this webinar by BlackBerry Incident Response Consultant Principal, Martin Münch. Learn best practices to identify, contain and remediate cybersecurity incidents.

Leverage Experts to Hunt and Monitor the Deep and Dark Web

Threat actors could be selling data stolen from your organization on the deep and dark web. Leveraging BlackBerry incident response services offers a competitive edge, courtesy of our team of expertly trained professionals who specialize in classifying threats and delivering early warnings for your team to be proactive and achieve a good cybersecurity posture.

Our experts will perform a point-in-time deep analysis into historical and current intelligence, providing recommendations on next steps. Then, moving forward, our team continuously monitors for new threats, alerting you when needed to ensure you remain on the front foot.

Get In Touch

Digital Forensics Services

We perform many types of digital forensics and incident response (DFIR) services for our clients. Our world-class forensic laboratory enables our digital forensics consultants to process your forensic evidence securely and efficiently.

Before a breach, during a breach or after a breach, the BlackBerry Cybersecurity Services DFIR team collaborates with you to quickly secure the chain of evidence and process your data and devices. We also provide data recovery and media analysis services.

Learn More

Incident Response Retainer Services

Prepare for the worst. Act now to ensure access to incident response expertise and achieve peace of mind.

When you have a cyber incident response retainer with BlackBerry Cybersecurity Services, you get the benefit of reduced rates, service level agreements and guaranteed availability. We offer four levels of service to suit your cybersecurity needs and budget.

Learn More

Cybersecurity Assessment

How can your organization know with certainty whether cybersecurity is already compromised—or not? Evading detection is the goal of cyberattack tactics, techniques and procedures (TTPs), so it’s common not to know. Many security leaders lack the visibility, toolsets, resources and experience to answer questions with confidence about cybersecurity compromise.

Understand your breach status and proactively prevent future incidents with a cybersecurity assessment that identifies signs of current and past breaches. We use artificial intelligence and consultant expertise to reveal the presence of security threats and guide you on how to reduce cybersecurity risk.

Learn More

Business Email Compromise

Most breaches start with phishing, and business email is a digital goldmine for attackers. If they gain access to your email system, they can learn business secrets, spoof your email and launch attacks at your organization and clients. Business email compromise is one of the fastest growing types of cybercrime that we encounter.

If you suspect that an attacker has gained access to your business email platform (O365, Google Workspace or Exchange), contact us—we can help. We have many ways to investigate business email compromise and help you mitigate email-based attacks.

Report an Incident

Find the Best Incident Response Service for You

We help organizations of all sizes and in all industries

Whatever cybersecurity challenge you face, our team of consultants can help.

Get Help Now View Services Card

Resources

Blog Post

Cyber Breach Guidelines for Incident Response: Steps for Before and After a Cyberattack

Read Now

Solution Brief

Incident Response Use Cases: Achieving Cyber Resilience with BlackBerry Cybersecurity Services

Get the Brief

Webinar

SANS 2021 Top New Attacks and Threat Report—Panel Discussion

Watch Now