# 【6-2】 The Incident Response Lifecycle *A Structured Approach to Handling Cyber Incidents* --- ## Introduction When a security incident occurs, **speed without structure causes mistakes**, and structure without speed causes damage. The **Incident Response Lifecycle** provides a disciplined, repeatable framework that organizations use to detect, contain, investigate, and recover from cyber incidents. This lifecycle ensures that responses are: - Consistent - Legally defensible - Technically sound - Focused on minimizing impact Rather than reacting emotionally or improvising, responders follow a clear process. --- ## What Is the Incident Response Lifecycle? The Incident Response Lifecycle is a sequence of phases that guide how an organization prepares for, responds to, and learns from security incidents. A commonly used model includes **six phases**: 1. Preparation 2. Detection and Analysis 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned Each phase has a specific purpose and directly influences the success of the next. --- ## Overview of the Lifecycle Phases | Phase | Purpose | |-----|---------| | Preparation | Ensure people, tools, and procedures are ready before an incident | | Detection and Analysis | Identify and confirm that an incident is occurring | | Containment | Limit the spread and impact of the incident | | Eradication | Remove the attacker and the root cause | | Recovery | Restore systems to normal operation safely | | Lessons Learned | Improve defenses based on what happened | --- ## Phase 1: Preparation ### Purpose Preparation happens **before any incident occurs**. It determines how effective every later phase will be. ### Key Activities - Incident response plans and playbooks - Asset inventories - Logging and monitoring - Backup strategies - Team roles and communication plans - Training and tabletop exercises ### Why It Matters Organizations without preparation: - Respond slower - Make legal and technical mistakes - Increase damage and downtime Preparation is the most cost-effective security investment. --- ## Phase 2: Detection and Analysis ### Purpose Identify potential incidents and determine whether they are real. ### Common Detection Sources - SIEM alerts - Endpoint detection tools - Network monitoring - User reports - Log analysis ### Analysis Tasks - Validate alerts - Determine scope and severity - Identify affected systems - Preserve initial evidence False positives are common. Verification is critical. --- ## Phase 3: Containment ### Purpose Stop the incident from spreading or causing further damage. ### Types of Containment - **Short-term containment**: Immediate isolation (disconnect network, disable accounts) - **Long-term containment**: Temporary fixes while investigation continues ### Examples - Isolating infected machines - Blocking malicious IP addresses - Disabling compromised credentials Containment must balance speed with evidence preservation. --- ## Phase 4: Eradication ### Purpose Remove the attacker and eliminate the root cause of the incident. ### Common Eradication Actions - Removing malware - Closing exploited vulnerabilities - Resetting credentials - Rebuilding compromised systems Eradication should not begin until containment is stable. --- ## Phase 5: Recovery ### Purpose Safely restore systems and services to normal operation. ### Key Activities - Restore from clean backups - Validate system integrity - Monitor for signs of reinfection - Gradually return systems to production Rushing recovery can reintroduce the attacker. --- ## Phase 6: Lessons Learned ### Purpose Turn incidents into improvements. ### Key Questions - What happened? - How was it detected? - What worked well? - What failed? - How can this be prevented next time? ### Outputs - Updated playbooks - Improved controls - Training updates - Risk reassessment This phase closes the loop and strengthens future defenses. --- ## Mapping the Lifecycle to Real Incidents In real breaches: - Preparation determines detection speed - Detection quality determines containment success - Containment quality limits impact - Eradication prevents recurrence - Recovery restores trust - Lessons learned improve resilience Skipping phases increases long-term risk. --- ## Common Incident Response Mistakes - Acting before confirming the incident - Destroying evidence during containment - Poor communication - Rushing recovery - Skipping post-incident review Discipline is essential under pressure. --- ## Summary - The Incident Response Lifecycle provides structure during chaos - Each phase has a clear purpose - Preparation enables effective response - Detection and containment limit damage - Eradication and recovery restore systems safely - Lessons learned strengthen future defenses > In the next section, you will explore **【6-3】 Incident Detection and Alerting**, focusing on how incidents are identified in real environments.