Incident Response Plan: How to Prepare for a Cyberattack Before It Happens
June 30, 2025 · 11 min read · System Networks
A company without an IR plan spends the first hours of an attack figuring out who does what. A company with a plan follows the procedure. The first 4 hours determine the difference between a controlled incident and a catastrophe.
6 NIST Incident Response Phases
1. Preparation
Create IR plan, assign roles, prepare tools, conduct training. The only phase that happens before the incident.
2. Detection & Analysis
Identify the incident, determine type and scope, classify by severity (P1/P2/P3).
3. Containment
Isolate infected systems, prevent spread. Short-term and long-term containment measures.
4. Eradication
Remove malicious code, close vulnerabilities, rotate compromised credentials.
5. Recovery
Restore systems to operational state, verify correctness, monitor for recurrence.
6. Post-Incident
Document the incident, identify root cause, update IR plan. The most important phase for prevention.
Ransomware Playbook
- Immediately isolate infected hosts from the network
- Stop backup jobs (protect backups from encryption)
- Identify patient zero via EDR logs
- Assess scope: what is encrypted, are clean backups available
- Pay vs restore decision — ONLY after full assessment
Testing Your IR Plan
Tabletop exercise
Quarterly
Team discusses attack scenario without actual actions. Cheap, fast.
Red/Blue team
Annually
Red team attacks, Blue team defends. Reveals real gaps.
Full simulation
Annually
Execute IR plan on a training incident. Most valuable.
IR plan development and incident response
Incident Response Plan development and tabletop exercises →Playbooks · Red Team · 24/7 IR support · FSTEC licensed