What is incident response?
A formal incident response plan enables cybersecurity teams to limit or prevent damage from cyberattacks or security breaches.
Zoomed-in view of a skyscraper
What is incident response?

Incident response (sometimes called cybersecurity incident response) refers to an organization’s processes and technologies for detecting and responding to cyberthreats, security breaches or cyberattacks. The goal of incident response is to prevent cyberattacks before they happen, and to minimize the cost and business disruption resulting from any cyberattacks that occur.

Ideally, an organization defines incident response processes and technologies in a formal incident response plan (IRP) that specifies exactly how different types of cyberattacks should be identified, contained, and resolved. An effective incident response plan can help cybersecurity teams detect and contain cyberthreats and restore affected systems faster, and reduce the lost revenue, regulatory fines and other costs associate with these threats. IBM’s Cost of a Data Breach 2022 Report found that organizations with incident response teams and regularly tested incident response plans had an average data breach cost USD 2.66 million lower than that of organizations without incident response teams and IRPs.


What are security incidents?

A security incident, or security event, is any digital or physical breach that threatens the confidentiality, integrity or availability or an organization’s information systems or sensitive data. Security incidents can range from intentional cyberattacks by hackers or unauthorized users, to unintentional violations of security policy by legitimate authorized users.

Some of the most common security incidents include:

Ransomware. Ransomware is a type of malicious software, or malware, that locks up a victim's data or computing device and threatens to keep it locked—or worse—unless the victim pays the attacker a ransom. According to IBM's Cost of a Data Breach 2022 report, ransomware attacks rose by 41 percent between 2021 and 2022.

Learn more about ransomware.

Phishing and social engineering. Phishing attacks are digital or voice messages that try to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to the wrong people, or taking some other damaging action. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—sometimes even an individual the recipient knows personally.

Phishing is the most costly and second most common cause of data breaches, according to IBM's Cost of a Data Breach 2022 report. It’s also the most common form of social engineering—a class of attack that hacks human nature, rather than digital security vulnerabilities, to gain unauthorized access to sensitive personal or enterprise data or assets.

Learn more about social engineering.

DDoS attacks. In a distributed denial-of-service (DDoS) attack, hackers gain remote control of large numbers of computers and use them to overwhelm a target organization’s network or servers with traffic, making those resources unavailable to legitimate users.

Learn more about DDoS attacks.

Supply chain attacks. Supply chain attacks are cyberattacks that infiltrate a target organization by attacking its vendors—e.g., by stealing sensitive data from a supplier’s systems, or by using a vendor’s services to distribute malware. In July 2021, cybercriminals took advantage of a flaw in Kaseya's VSA platform (link resides outside ibm.com) to spread ransomware to customers under the guise of a legitimate software update. Even though supply chain attacks are increasing in frequency, only 32 percent of organizations have incident response plans prepared for this particular cyber threat, according to IBM's 2021 Cyber Resilient Organization Study.

Learn more about supply chain security.

Insider threats. There are two types of insider threats. Malicious insiders are employees, partners or other authorized users who intentionally compromise an organization’s information security. Negligent insiders are authorized user who unintentionally compromise security by failing to follow security best practices—by, say, using weak passwords, or storing sensitive data in insecure places. 

Learn more about insider threats.


How incident response works

Incident response planning

As noted above, an organization’s incident response efforts are guided by an incident response plan. Typically these are created and executed by a computer security incident response team (CSIRT) made up of stakeholders from across the organization—the chief information security officer (CISO), security operations center (SOC) and IT staff, but also representatives from executive leadership, legal, human resources, regulatory compliance and risk management.

An incident response plan usually includes

  • The roles and responsibilities of each member of the CSIRT;
  • The security solutions—software, hardware and other technologies—to be installed across the enterprise.
  • A business continuity plan outlining procedures for restoring critical affected systems and data as quickly possible in the event of an outage;
  • A detailed incident response methodology that lays out the specific steps to be taken at each phase of the incident response process (see below), and by whom;
  • A communications plan for informing company leaders, employees, customers, and even law enforcement about incidents;
  • Instructions for documenting for collecting information and documenting incidents for post-mortem review and (if necessary) legal proceedings. 

It’s not uncommon for the CSIRT to draft different incident response plans for different types incidents, as each type may require a unique response. According to IBM's 2021 Cyber Resilient Organization Study, most organizations have specific incident response plans pertaining to DDoS attacks, malware and ransomware, and phishing, and nearly half have plans for insider threats.

Some organizations supplement in-house CSIRTs with external partners providing incident response services. These partners often work on retainer, assist with various aspects of the incident management process, including preparing and executing IRPs.

The incident response process

Most IRPs also follow the same general incident response framework based on incident response models developed by the SANS Institute, the National Institute of Standards and Technology (NIST), and the Cybersecurity and Infrastructure Agency (CISA).

Preparation. This first phase of incident response is also a continuous one, to make sure that the CSIRT always has best possible procedures and tools in place to respond to identify, contain and recover from an incident as quickly as possible and within minimal business disruption.

Through regular risk assessment the CSIRT identifies network vulnerabilities, defines the various types of security incidents that pose a risk to the network, and prioritizes each type according to its potential impact on the organization. Based on this risk assessment, the CSIRT may update existing incident response plans or draft new ones.

Detection and Analysis. During this phase, security team members monitor the network for suspicious activity and potential threats. They analyze data, notifications and alerts gathered from device logs and from various security tools (antivirus software, firewalls) installed on the network, filtering out the false positives and triage the actual alerts in order of severity.

Today, most organizations use one or more security solutions—such as SIEM (security information and event management) and EDR (endpoint detection and response)—to help security teams monitor and analyze security events in real time, and automate incident detection and response processes. (See “Incident response technologies,” below for more.)

The communication plan also comes into play during this phase. Once the CSIRT has determined what kind of threat or breach they're dealing with, they'll notify the appropriate personnel before moving to the next stage of the incident response process. 

Containment. The incident response team takes steps to stop the breach from doing further damage to the network. Containment activities can be split into two categories:

  • Short-term containment measures focus on preventing the current threat from spreading by isolating the affected systems, such as by taking infected devices offline.
  • Long-term containment measures focus on protecting unaffected systems by placing stronger security controls around them, such as segmenting sensitive databases from the rest of the network.

At this stage, the CSIRT may also create backups of affected and unaffected systems to prevent additional data loss, and to capture forensic evidence of the incident for future study. 

Eradication. Once the threat has been contained, the team moves on to full remediation and complete removal of the threat from the system. This involves actively eradicating the threat itself—e.g., destroying malware, booting an unauthorized or rogue user from the network—and reviewing both affected and unaffected systems to ensure no traces of the breach are left behind. 

Recovery. When the incident response team is confident the threat has been entirely eradicated, they restore affected systems to normal operations. This may involve deploying patches, rebuilding systems from backups, and bringing remediated systems and devices back online.

Post-incident review. Throughout each phase of the incident response process, the CSIRT collects evidence of the breach and documents the steps it takes to contain and eradicate the threat. At this stage, the CSIRT reviews this information to better understand the incident. The CSIRT seeks to determine the root cause of the attack, identify how it successfully breached the network, and resolve vulnerabilities so that future incidents of this type don't occur. 

The CSIRT also reviews what went well and looks for opportunities to improve systems, tools, and processes to strengthen incident response initiatives against future attacks. Depending on the circumstances of the breach, law enforcement may also be involved in the post-incident investigation. 


Incident response technologies

As noted above, in addition to describing the steps CSIRTs should take in the event of a security incident, incident response plans typically outline the security solutions that incident response teams should have in place to carry out or automate key incident response workflows, such as gathering and correlating security data, detecting incidents in real-time, and responding to in-progress attacks.

Some of the most commonly used incident response technologies include:

  • SIEM (security information and event management): SIEM aggregates and correlates security event data from disparate internal security tools (e.g. firewalls, vulnerability scanners, threat intelligence feeds) and from devices on the network. SIEM can help incident response teams fight ‘alert fatigue’ by indicators of actual threats from the huge volume of notifications these tools generate.
  • SOAR (security orchestration, automation and response): SOAR enables security teams to define playbooks—formalized workflows that coordinate different security operations and tools in response to security incidents—and to automate portions of these workflows where possible.
  • EDR (endpoint detection and response): EDR is software designed to automatically protect an organization's end users, endpoint devices and IT assets against cyberthreats that get past antivirus software and other traditional endpoint security tools. EDR collects data continuously from all endpoints on the network; it analyzes the data in real time for evidence of known or suspected cyberthreats, and can respond automatically to prevent or minimize damage from threats it identifies.
  • XDR (extended detection and response): XDR is cybersecurity technology that unifies security tools, control points, data and telemetry sources, and analytics across the hybrid IT environment (endpoints, networks, private and public clouds) to create a single, central enterprise system for threat prevention, detection and response. A still-emerging technology, XDR has the potential to help overextended security teams and security operations centers (SOCs) do more with less by eliminating by eliminating silos between security tools and automating response across the entire cyberthreat kill chain.
  • UEBA (user and entity behavior analytics): (UEBA) uses behavioral analytics, machine learning algorithms, and automation to identify abnormal and potentially dangerous user and device behavior. UEBA is particularly effective at identifying insider threats—malicious insiders or hackers using compromised insider credentials—that can elude other security tools because they mimic authorized network traffic. UEBA functionality is often included SIEM, EDR, and XDR solutions.
  • ASM (attach surface management): ASM solutions automate the continuous discovery, analysis, remediation, and monitoring of the vulnerabilities and potential attack vectors across all the assets in an organization's attack surface. ASM can uncover previously unmonitored network assets, map relationships between assets,

Related solutions

X-Force Incident Response Team

Get the security protection your organization needs to improve breach readiness with an incident response retainer subscription from IBM Security. When you engage with our elite team of IR consultants, you have trusted partners on standby to help reduce the time it takes to respond to an incident, minimize its impact and help you recover faster before a cybersecurity incident is suspected.


Security orchestration, automation and response (SOAR)

Threat detection is only half of the security equation. You also need a smart incident response to the growing volume of alerts, multiple tools and staff shortages. Accelerate incident response with automation, process standardization and integration with your existing security tools with IBM.


Managed detection and response services

With the growing number of laptops, desktops and remote workers, sophisticated cybercriminals have even more open doors to your organization. From these entry points, they can often proceed deep and unnoticed. IBM delivers a turnkey, 24x7 threat prevention, detection and fast response capability, fueled by threat intelligence and proactive threat hunting to identify and remediate advanced threats.


Endpoint detection and response (EDR)

Remote work trends and an increase in the interconnectivity of endpoints have led to a rise in malicious activities. Reduce analyst workloads by leveraging a modern, AI-driven EDR that can automatically block, and isolate malware and ransomware threats.


IBM Security Framing and Discovery Workshop

Understand your cybersecurity landscape and prioritize initiatives together with senior IBM security architects and consultants in a no-cost, virtual or in-person, 3-hour design thinking session.