Home Topics Incident response What is incident response?
Explore IBM's incident response solution Subscribe to the Think Newsletter
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark

Updated: 20 August 2024 
Contributors: Jim Holdsworth, Matthew Kosinski

What is incident response?

Incident response (sometimes called cybersecurity incident response) refers to an organization’s processes and technologies for detecting and responding to cyberthreats, security breaches or cyberattacks. A formal incident response plan enables cybersecurity teams to limit or prevent damage.

The goal of incident response is to prevent cyberattacks before they happen and minimize the cost and business disruption resulting from any cyberattacks that occur. Incident response is the technical portion of incident management, which also includes executive, HR and legal management of a serious incident.

Ideally, an organization defines incident response processes and technologies in a formal incident response plan (IRP) that specifies how different types of cyberattacks should be identified, contained and resolved.

An effective incident response plan can help cyber incident response teams detect and contain cyberthreats, restore affected systems and reduce lost revenue, regulatory fines and other costs.

IBM’s Cost of a Data Breach Report  found that having an incident response team and formal incident response plans enables organizations to reduce the cost of a breach by almost half a million US dollars (USD 473,706) on average.

IBM® X-Force® Threat Intelligence Index

Help improve incident response capabilities with this report based on insights and observations gathered by monitoring over 150 billion security events per day in over 130 countries.

Related content

Register for the Cost of a Data Breach report

What are security incidents?

A security incident, or security event, is any digital or physical breach that threatens the confidentiality, integrity or availability of an organization’s information systems or sensitive data. Security incidents can range from intentional cyberattacks by hackers or unauthorized users, to unintentional violations of IT security policy by legitimate authorized users.

Some of the most common security incidents include:

  • Ransomware
  • Phishing and social engineering
  • DDoS attacks
  • Supply chain attacks
  • Insider threats
  • Privilege escalation attacks
  • Man-in-the-middle attacks  
Ransomware

Ransomware is a type of malicious software, or malware, that locks up a victim's data or computing device and threatens to keep it locked—or worse—unless the victim pays a ransom. The latest X-Force Threat Intelligence Index from IBM reports that 20% of network attacks used ransomware and that extortion-based attacks are a driving force in cybercrime—only surpassed by data theft and leaks.

Learn more about ransomware
Phishing and social engineering

Phishing attacks are digital or voice messages that try to manipulate recipients to share sensitive information, download malicious software, transfer money or assets to the wrong people or take some other damaging action.  

Attackers craft phishing messages to look or sound as if they come from a trusted or credible organization or individual—sometimes even an individual the recipient knows personally.

Phishing and stolen or compromised credentials are the two most prevalent attack vectors, according to the IBM Cost of a Data Breach report. Phishing is also the most common form of social engineering—a class of attack that hacks human nature, rather than digital security vulnerabilities, to gain unauthorized access to sensitive personal or enterprise data or assets.

Learn more about social engineering
DDoS attacks

In a distributed denial-of-service (DDoS) attack, hackers gain control of large numbers of computers and use them to overwhelm a target organization’s network or servers with bogus traffic, making those resources unavailable to legitimate users.

Learn more about DDoS attacks
Supply chain attacks

Supply chain attacks are cyberattacks that infiltrate a target organization by attacking its vendors. For example, this could include stealing sensitive data from a supplier’s systems or using a vendor’s services to distribute malware. 

Learn more about supply chain security
Insider threats

There are two types of insider threats. Malicious insiders are employees, partners or other authorized users who intentionally compromise an organization’s information security. Negligent insiders are authorized users who unintentionally compromise security by failing to follow security best practices—by, say, using weak passwords or storing sensitive data in insecure places.

Learn more about insider threats
Privilege escalation attacks

These involve an attacker who first gains limited privileges in a system and uses those to move laterally, receiving higher privileges and gaining access to more sensitive data along the way. 

Stolen credentials can help the attacker with either the initial entry or boosting their privileges. According to the X-Force Threat Intelligence Index, the abuse of valid accounts is the most common way that attackers breach systems today.

Learn more about lateral movement
Man-in-the-middle (MITM) attacks

In an MITM attack, the threat actor intercepts a communication—often an email containing sensitive information such as usernames or passwords—and either steals or alters that communication. The attacker either uses the stolen information directly or injects malware to be forwarded to the intended recipient.

Learn more about man-in-the-middle attacks
Incident response planning

An organization’s incident handling efforts are normally guided by an incident response plan. Typically, plans are created and executed by a computer security incident response team (CSIRT) made up of stakeholders from across the organization.

The CSIRT team might include the chief information security officer (CISO), security operations center (SOC), security analysts and IT staff. It may also include representatives from executive leadership, legal, human resources, regulatory compliance, risk management and possibly third-party experts from service providers.

The Cost of a Data Breach Report notes that, “By investing in response preparedness, organizations can help reduce the costly, disruptive effects of data breaches, support operational continuity and help preserve their relationships with customers, partners and other key stakeholders.”

An incident response plan usually includes:

  •  An incident response playbook including the roles and responsibilities of each member of the CSIRT throughout the incident response lifecycle.

  • The security solutions—software, hardware and other technologies—installed across the enterprise.

  • A business continuity plan outlining procedures for restoring critical systems and data as quickly as possible if there’s an outage.

  • An incident response methodology that details the specific steps to be taken at each phase of the incident response process, and by whom.

  • A communications plan for informing company leaders, employees, customers and law enforcement about incidents.

  • Instructions for collecting and documenting information about incidents for postmortem review and (if necessary) legal proceedings. 

The CSIRT might draft different incident response plans for different types of incidents, as each type might require a unique response. Many organizations have specific incident response plans pertaining to DDoS attacks, malware, ransomware, phishing and insider threats. 

Having incident response plans that are customized to an organization’s environment—or environments—is key to reducing the time to respond, remediate and recover from an attack.

Some organizations supplement in-house CSIRTs with external partners providing incident response services. These partners often work on retainer and assist with various aspects of the overall incident management process, including preparing and executing incident response plans.

How incident response works

Most incident response plans follow the same general incident response framework based on models developed by the National Institute of Standards and Technology (NIST)1 and SANS Institute2. Common incident response steps include:

  • Preparation
  • Detection and analysis
  • Containment 
  • Eradication
  • Recovery
  • Post-incident review
Preparation

This first phase of incident response is also a continuous one. The CSIRT selects the best possible procedures, tools and techniques to respond, identify, contain and recover from an incident as quickly as possible and with minimal business disruption.

Through regular risk assessment, the CSIRT identifies the business environment to be protected, the potential network vulnerabilities and the various types of security incidents that pose a risk to the network. The team prioritizes each type of incident according to its potential impact on the organization.  

The CSIRT might “wargame” several different attack strategies and then create templates of the most effective responses to speed action during a real attack. Response time might be tracked to establish metrics for future exercises and possible attacks. Based on a complete risk assessment, the CSIRT might update existing incident response plans or draft new ones.

Detection and analysis

During this phase, security team members monitor the network for suspicious activity and potential threats. They analyze data, notifications and alerts gathered from device logs and various security tools (antivirus software, firewalls) to identify incidents in progress. The team works to filter false positives from real incidents, triaging the actual alerts in order of severity.

Today, most organizations use one or more security solutions—such as security information and event management (SIEM) and endpoint detection and response (EDR)—to monitor security events in real time and automate response efforts. (See the “Incident response technologies” section for more.)

The communication plan also comes into play during this phase. When the CSIRT has determined what kind of threat or breach they're dealing with, they'll notify the appropriate personnel and then move to the next stage of the incident response process.

Containment

The incident response team takes steps to stop the breach or other malicious activity from doing further damage to the network. The emergency incident response plans then go into action. There are two categories of containment activities:

  • Short-term mitigation measures focus on preventing the current threat from spreading by isolating the affected systems, such as by taking infected devices offline.

  • Long-term containment measures focus on protecting unaffected systems by placing stronger security controls around them, such as segmenting sensitive databases from the rest of the network.

At this stage, the CSIRT might also create backups of affected and unaffected systems to prevent additional data loss and capture forensic evidence of the incident for future study.  

Eradication

After the threat has been contained, the team moves on to full remediation and complete removal of the threat from the system. This could include removal of malware or booting an unauthorized or rogue user from the network. The team also reviews both affected and unaffected systems to help ensure that no traces of the breach are left behind.   

Recovery

When the incident response team is confident the threat has been entirely eradicated, they restore affected systems to normal operations. This remediation might involve deploying patches, rebuilding systems from backups and bringing systems and devices back online. A record of the attack and its resolution are retained for analysis and system improvements.

Post-incident review

Throughout each phase of the incident response process, the CSIRT collects evidence of the breach and documents the steps it takes to contain and eradicate the threat. At this stage, the CSIRT reviews this information to better understand the incident and gather “lessons learned.” The CSIRT seeks to determine the root cause of the attack, identify how it successfully breached the network, and resolve vulnerabilities so that future incidents of this type don't reoccur. 

The CSIRT also reviews what went well and looks for opportunities to improve systems, tools and processes to strengthen incident response initiatives against future attacks. Depending on the circumstances of the breach, law enforcement might also be involved in the post-incident investigation. 

Incident response technologies

In addition to describing the steps CSIRTs should take during a security incident, incident response plans typically outline the security solutions that incident response teams should use to implement or automate key workflows, such as gathering and correlating security data, detecting incidents in real-time and responding to in-progress attacks.

Some of the most commonly used incident response technologies include:

  • ASM (attack surface management)
  • EDR (endpoint detection and response)
  • SIEM (security information and event management)
  • SOAR (security orchestration, automation and response)
  • UEBA (user and entity behavior analytics)
  • XDR (extended detection and response)
ASM (attack surface management)

ASM solutions automate the continuous discovery, analysis, remediation and monitoring of vulnerabilities and potential attack vectors across all the assets in an organization's attack surface. ASM can uncover previously unmonitored network assets and map relationships between assets.

Learn more about attack surface management
EDR (endpoint detection and response)

EDR is software designed to automatically protect an organization's users, endpoint devices and IT assets against cyberthreats that get past antivirus software and other traditional endpoint security tools. 

EDR collects data continuously from all endpoints on the network. It also analyzes the data in real time for evidence of known or suspected cyberthreats and can respond automatically to prevent or minimize damage from the threats it identifies.

Learn more about endpoint detection and response
SIEM (security information and event management)

SIEM aggregates and correlates security event data from disparate internal security tools (for example firewalls, vulnerability scanners and threat intelligence feeds) and from devices on the network.

SIEM can help incident response teams fight “alert fatigue” by distinguishing indicators of actual threats from the huge volume of notifications that security tools generate.

Learn more about security information and event management
SOAR (security orchestration, automation and response)

SOAR enables security teams to define playbooks, formalized workflows that coordinate different security operations and tools in response to security incidents. SOAR platforms can also automate portions of these workflows where possible.

Learn more about security orchestration, automation and response
UEBA (user and entity behavior analytics)

UEBA uses behavioral analytics, machine learning algorithms and automation to identify abnormal and potentially dangerous user and device behavior.

UEBA is effective at identifying insider threats—malicious insiders or hackers that use compromised insider credentials—that can elude other security tools because they mimic authorized network traffic. UEBA functions are often included in SIEM, EDR and XDR solutions.

Learn more about user and entity behavior analytics
XDR (extended detection and response)

XDR is a cybersecurity technology that unifies security tools, control points, data and telemetry sources and analytics across the hybrid IT environment. XDR creates a single, central enterprise system for threat prevention, detection and response. XDR can help overextended security teams and SOCs do more with less by eliminating silos between security tools and automating responses across the entire cyberthreat kill chain.

Learn more about extended detection and response
AI and the future of incident response

Artificial intelligence (AI) can help organizations mount a stronger defense against cyberthreats, just as data thieves and hackers are using AI to empower their attacks. 

The cost savings of using added AI protection can be significant. According to the IBM Cost of a Data Breach Report, organizations that use AI-powered security solutions can save as much as USD 2.2 million in breach costs.

Enterprise-grade, AI-powered security systems can improve incident response capabilities through:

  • Faster detection of anomalies
  • More proactive response processes
  • Prediction of likely attack channels
Faster detection of anomalies

AI-powered systems can accelerate threat detection and mitigation by monitoring enormous volumes of data to speed the search for suspicious traffic patterns or user behaviors.

More proactive response processes

AI-powered systems can support more proactive incident response processes by providing real-time insights to the cybersecurity team, automating incident triage, coordinating defenses against cyberthreats and even isolating systems under attack. 

Prediction of likely attack channels

AI-powered risk analysis can produce incident summaries to speed alert investigations and help find the root cause for a failure. These incident summaries can help forecast which threats are most likely to occur in the future so the incident response team can fine-tune a stronger plan to meet those threats.   

Webinar: How Generative AI Changes the Cybersecurity Landscape
Related solutions
Threat detection and response solutions

Leverage IBM threat detection and response solutions to strengthen your security and accelerate threat detection.

Explore threat detection and response solutions
IBM Security and Compliance Center

An integrated solutions suite enabling you to define policy as code, implement controls for secure data and assess security and compliance posture across hybrid multicloud environments.

Explore IBM Security and Compliance Center
IBM NS1 Connect DNS observability

Use DNS data to quickly identify misconfigurations and security issues.

Explore IBM NS1 Connect
Resources Cybersecurity in the era of generative AI

Learn how today’s security landscape is changing and how to tap into the resilience of generative AI.

IBM Security Framing and Discovery Workshop

Understand your cybersecurity landscape and prioritize initiatives together with senior IBM security architects and consultants in a no-cost, virtual or in-person, 3-hour design thinking session.

What is ransomware?

Ransomware is malware that holds victims' devices and data hostage until a ransom is paid.

Take the next step

IBM cybersecurity services deliver advisory, integration and managed security services and offensive and defensive capabilities. We combine a global team of experts with proprietary and partner technology to co-create tailored security programs that manage risk.

Explore cybersecurity services Subscribe to the Think Newsletter
Footnotes

All links reside outside ibm.com.

1 Cybersecurity Framework's Five Functions, National Institute of Standards and Technology (NIST), 26 February 2024.

2 SANS Whitepaper: Incident Handler's Handbook, SANS Institute, 21 February 2012.