๐จ
Incident Response Phases Cheat Sheet
NIST Incident Response framework phases and activities
๐ง Memory Trick: PICERL
Preparation Identification Containment Eradication Recovery Lessons Learned
| # | Phase | Description | Key Activities | Actions |
|---|---|---|---|---|
| 1 | Preparation | Establish IR capability before incidents occur | Create IR plan, Build team, Deploy tools, Train staff | Asset inventory, Risk assessment, Tool deployment |
| 2 | Identification | Detect and analyze potential security incidents | Monitor alerts, Analyze logs, Triage events | Determine scope, Classify severity, Document IOCs |
| 3 | Containment | Limit damage and prevent spread | Isolate systems, Block IPs, Disable accounts | Short-term: Isolate. Long-term: Harden |
| 4 | Eradication | Remove threat from environment | Remove malware, Patch vulnerabilities, Reset credentials | Find root cause, Remove all artifacts |
| 5 | Recovery | Restore systems to normal operations | Restore from backup, Rebuild systems, Validate security | Gradual restoration, Enhanced monitoring |
| 6 | Lessons Learned | Review incident and improve | Hold retrospective, Update procedures, Implement improvements | What went well? What to improve? |
๐ Preparation is Key
Create IR plan, train team, deploy tools, and practice with tabletop exercises before an incident occurs.
๐ Continuous Improvement
Lessons Learned is often most overlooked but critical for improving future response.