Home Topics What is incident response? What is incident response?
Explore IBM's incident response solution Subscribe to security topic updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark
What is incident response?

Incident response (sometimes called cybersecurity incident response) refers to an organization’s processes and technologies for detecting and responding to cyberthreats, security breaches or cyberattacks. A formal incident response plan enables cybersecurity teams to limit or prevent damage.

The goal of incident response is to prevent cyberattacks before they happen, and to minimize the cost and business disruption resulting from any cyberattacks that occur.

Ideally, an organization defines incident response processes and technologies in a formal incident response plan (IRP) that specifies exactly how different types of cyberattacks should be identified, contained, and resolved. An effective incident response plan can help cybersecurity teams detect and contain cyberthreats and restore affected systems faster, and reduce the lost revenue, regulatory fines, and other costs associate with these threats. IBM’s Cost of a Data Breach 2022 Report found that organizations with incident response teams and regularly tested incident response plans had an average data breach cost USD 2.66 million lower than that of organizations without incident response teams and IRPs.

IBM X-Force® Threat Intelligence Index

Gain insights to prepare for and respond to cyberattacks with greater speed and effectiveness with the IBM X-Force Threat Intelligence Index.

Related content

Register for the Cost of a Data Breach report

What are security incidents?

A security incident, or security event, is any digital or physical breach that threatens the confidentiality, integrity, or availability or an organization’s information systems or sensitive data. Security incidents can range from intentional cyberattacks by hackers or unauthorized users, to unintentional violations of security policy by legitimate authorized users.

Some of the most common security incidents include:

  1. Ransomware
  2. Phishing and social engineering
  3. DDoS attacks
  4. Supply chain atttacks
  5. Insider threats

Ransomware. Ransomware is a type of malicious software, or malware, that locks up a victim's data or computing device and threatens to keep it locked—or worse—unless the victim pays the attacker a ransom. According to IBM's Cost of a Data Breach 2022 report, ransomware attacks rose by 41 percent between 2021 and 2022.

Learn more about ransomware

Phishing and social engineering. Phishing attacks are digital or voice messages that try to manipulate recipients into sharing sensitive information, download malicious software, transferring money or assets to the wrong people, or take some other damaging action. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—sometimes even an individual the recipient knows personally.

Phishing is the most costly and second most common cause of data breaches, according to IBM's Cost of a Data Breach 2022 report. It’s also the most common form of social engineering—a class of attack that hacks human nature, rather than digital security vulnerabilities, to gain unauthorized access to sensitive personal or enterprise data or assets.

Learn more about social engineering

DDoS attacks. In a distributed denial-of-service (DDoS) attack, hackers gain remote control of large numbers of computers and use them to overwhelm a target organization’s network or servers with traffic, making those resources unavailable to legitimate users.

Learn more about DDoS attacks

Supply chain attacks. Supply chain attacks are cyberattacks that infiltrate a target organization by attacking its vendors—for example, by stealing sensitive data from a supplier’s systems, or by using a vendor’s services to distribute malware. In July 2021, cybercriminals took advantage of a flaw in Kaseya's VSA platform (link resides outside ibm.com) to spread ransomware to customers under the guise of a legitimate software update. Even though supply chain attacks are increasing in frequency, only 32 percent of organizations have incident response plans prepared for this particular cyberthreat, according to IBM's 2021 Cyber Resilient Organization Study.

Learn more about supply chain security

Insider threats. There are two types of insider threats. Malicious insiders are employees, partners, or other authorized users who intentionally compromise an organization’s information security. Negligent insiders are authorized user who unintentionally compromise security by failing to follow security best practices—by, say, using weak passwords, or storing sensitive data in insecure places. 

Learn more about insider threats

How incident response works

Incident response planning

As noted previously, an organization’s incident response efforts are guided by an incident response plan. Typically these are created and executed by a computer security incident response team (CSIRT) made up of stakeholders from across the organization—the chief information security officer (CISO), security operations center (SOC) and IT staff, but also representatives from executive leadership, legal, human resources, regulatory compliance, and risk management.

An incident response plan usually includes

  • The roles and responsibilities of each member of the CSIRT;
  • The security solutions—software, hardware, and other technologies—to be installed across the enterprise.
  • A business continuity plan outlining procedures for restoring critical affected systems and data as quickly as possible in the event of an outage;
  • A detailed incident response methodology that lays out the specific steps to be taken at each phase of the incident response process, and by whom;
  • A communications plan for informing company leaders, employees, customers, and even law enforcement about incidents;
  • Instructions for documenting for collecting information and documenting incidents for post-mortem review and (if necessary) legal proceedings. 

It’s not uncommon for the CSIRT to draft different incident response plans for different types of incidents, as each type may require a unique response. According to the IBM® 2021 Cyber Resilient Organization Study, most organizations have specific incident response plans pertaining to DDoS attacks, malware and ransomware, and phishing, and nearly half have plans for insider threats.

Some organizations supplement in-house CSIRTs with external partners providing incident response services. These partners often work on retainer, assist with various aspects of the incident management process, including preparing and executing IRPs.

The incident response process

Most IRPs also follow the same general incident response framework based on incident response models developed by the SANS Institute, the National Institute of Standards and Technology (NIST), and the Cybersecurity and Infrastructure Agency (CISA).

Preparation. This first phase of incident response is also a continuous one, to make sure that the CSIRT always has the best possible procedures and tools in place to respond to identify, contain, and recover from an incident as quickly as possible and within minimal business disruption.

Through regular risk assessment the CSIRT identifies network vulnerabilities, defines the various types of security incidents that pose a risk to the network, and prioritizes each type according to its potential impact on the organization. Based on this risk assessment, the CSIRT may update existing incident response plans or draft new ones.

Detection and Analysis. During this phase, security team members monitor the network for suspicious activity and potential threats. They analyze data, notifications, and alerts gathered from device logs and from various security tools (antivirus software, firewalls) installed on the network, filtering out the false positives and triaging the actual alerts in order of severity.

Today, most organizations use one or more security solutions—such as SIEM (security information and event management) and EDR (endpoint detection and response)—to help security teams monitor and analyze security events in real time, and automate incident detection and response processes. (See “Incident response technologies” for more.)

The communication plan also comes into play during this phase. Once the CSIRT has determined what kind of threat or breach they're dealing with, they'll notify the appropriate personnel before moving to the next stage of the incident response process. 

Containment. The incident response team takes steps to stop the breach from doing further damage to the network. Containment activities can be split into two categories:

  • Short-term containment measures focus on preventing the current threat from spreading by isolating the affected systems, such as by taking infected devices offline.
  • Long-term containment measures focus on protecting unaffected systems by placing stronger security controls around them, such as segmenting sensitive databases from the rest of the network.

At this stage, the CSIRT may also create backups of affected and unaffected systems to prevent additional data loss, and to capture forensic evidence of the incident for future study. 

Eradication. After the threat has been contained, the team moves on to full remediation and complete removal of the threat from the system. This involves actively eradicating the threat itself—for example, destroying malware, booting an unauthorized or rogue user from the network—and reviewing both affected and unaffected systems to ensure that no traces of the breach are left behind. 

Recovery. When the incident response team is confident the threat has been entirely eradicated, they restore affected systems to normal operations. This may involve deploying patches, rebuilding systems from backups, and bringing remediated systems and devices back online.

Post-incident review. Throughout each phase of the incident response process, the CSIRT collects evidence of the breach and documents the steps it takes to contain and eradicate the threat. At this stage, the CSIRT reviews this information to better understand the incident. The CSIRT seeks to determine the root cause of the attack, identify how it successfully breached the network, and resolve vulnerabilities so that future incidents of this type don't occur. 

The CSIRT also reviews what went well and looks for opportunities to improve systems, tools, and processes to strengthen incident response initiatives against future attacks. Depending on the circumstances of the breach, law enforcement may also be involved in the post-incident investigation. 

Incident response technologies

As noted above, in addition to describing the steps CSIRTs should take in the event of a security incident, incident response plans typically outline the security solutions that incident response teams should have in place to carry out or automate key incident response workflows, such as gathering and correlating security data, detecting incidents in real-time, and responding to in-progress attacks.

Some of the most commonly used incident response technologies include:

  • SIEM (security information and event management): SIEM aggregates and correlates security event data from disparate internal security tools (for example firewalls, vulnerability scanners, threat intelligence feeds) and from devices on the network. SIEM can help incident response teams fight ‘alert fatigue’ by indicators of actual threats from the huge volume of notifications these tools generate.

  • SOAR (security orchestration, automation, and response): SOAR enables security teams to define playbooks—formalized workflows that coordinate different security operations and tools in response to security incidents—and to automate portions of these workflows where possible.

  • EDR (endpoint detection and response): EDR is software that is designed to automatically protect an organization's end users, endpoint devices and IT assets against cyberthreats that get past antivirus software and other traditional endpoint security tools. EDR collects data continuously from all endpoints on the network; it analyzes the data in real time for evidence of known or suspected cyberthreats, and can respond automatically to prevent or minimize damage from threats it identifies.

  • XDR (extended detection and response): XDR is a cybersecurity technology that unifies security tools, control points, data and telemetry sources, and analytics across the hybrid IT environment (endpoints, networks, private and public clouds) to create a single, central enterprise system for threat prevention, detection, and response. A still-emerging technology, XDR has the potential to help overextended security teams and security operations centers (SOCs) do more with less by eliminating silos between security tools and automating response across the entire cyberthreat kill chain.

  • UEBA (user and entity behavior analytics): (UEBA) uses behavioral analytics, machine learning algorithms, and automation to identify abnormal and potentially dangerous user and device behavior. UEBA is effective at identifying insider threats—malicious insiders or hackers that use compromised insider credentials—that can elude other security tools because they mimic authorized network traffic. UEBA functionality is often included in SIEM, EDR, and XDR solutions.

  • ASM (attack surface management): ASM solutions automate the continuous discovery, analysis, remediation, and monitoring of the vulnerabilities and potential attack vectors across all the assets in an organization's attack surface. ASM can uncover previously unmonitored network assets, map relationships between assets,
Related solutions
Threat detection and response solutions

Leverage IBM threat detection and response solutions to strengthen your security and accelerate threat detection.

Explore threat detection and response solutions
IBM Security and Compliance Center

An integrated solutions suite enabling you to define policy as code, implement controls for secure data and assess security and compliance posture across hybrid multicloud environments.

Explore IBM Security and Compliance Center
IBM NS1 Connect DNS observability

Use DNS data to quickly identify misconfigurations and security issues.

Explore IBM NS1 Connect
Resources What is ransomware?

Ransomware is malware that holds victims' devices and data hostage until a ransom is paid.

What are insider threats?

Insider threats occur when authorized users deliberately or accidentally expose sensitive data or network assets.

IBM Security Framing and Discovery Workshop

Understand your cybersecurity landscape and prioritize initiatives together with senior IBM security architects and consultants in a no-cost, virtual or in-person, 3-hour design thinking session.

Take the next step

IBM cybersecurity services deliver advisory, integration and managed security services and offensive and defensive capabilities. We combine a global team of experts with proprietary and partner technology to co-create tailored security programs that manage risk.

Explore cybersecurity services