Cybersecurity Incident Response: Building Your First IR Plan from Scratch

Why You Need an Incident Response Plan Yesterday

The question isn't if you'll face a cybersecurity incident — it's when. According to IBM's 2025 Cost of a Data Breach Report, organizations with a tested incident response plan saved an average of $2.66 million per breach compared to those without one. Yet an alarming number of IT teams still have no formal IR process.

This guide walks you through building a practical, actionable incident response plan — whether you're a solo sysadmin or part of a larger security team.

The 6 Phases of Incident Response

The NIST Computer Security Incident Handling Guide (SP 800-61) defines six phases that form the backbone of any IR plan:

1. Preparation — Building your team and tools before incidents occur
2. Identification — Detecting and confirming security incidents
3. Containment — Limiting the blast radius
4. Eradication — Removing the threat
5. Recovery — Restoring normal operations
6. Lessons Learned — Improving for next time

Phase 1: Preparation

Preparation is the most important phase because it determines how effectively you handle everything that follows.

Build Your IR Team

Define clear roles and responsibilities:

• Incident Commander — Leads response, makes critical decisions
• Technical Lead — Directs investigation and remediation
• Communications Lead — Manages internal/external communications
• Legal/Compliance — Ensures regulatory requirements are met
• Management Liaison — Keeps leadership informed

For smaller teams, one person may wear multiple hats — but document who does what.

Essential Tools and Resources

IR Toolkit Checklist:
□ SIEM or log aggregation (ELK Stack, Wazuh, Splunk)
□ Network monitoring (Wireshark, tcpdump, Zeek)
□ Endpoint detection (OSSEC, Velociraptor, CrowdStrike)
□ Forensic imaging (dd, FTK Imager, CAINE)
□ Malware analysis sandbox (ANY.RUN, Cuckoo)
□ Secure communication channel (Signal, encrypted email)
□ Offline contact list for all IR team members
□ Pre-approved forensic workstation
□ Chain of custody forms
□ Incident documentation templates

Create Communication Templates

Prepare templates for different scenarios before you need them:

• Initial incident notification (internal)
• Executive briefing template
• Customer notification (if data affected)
• Regulatory notification (GDPR: 72 hours)
• Media statement template

Phase 2: Identification

Early detection dramatically reduces impact. Set up monitoring for these common indicators of compromise (IoCs):

Network-Based Indicators

• Unusual outbound traffic patterns or volume spikes
• Connections to known malicious IP addresses or domains
• DNS queries to suspicious or newly registered domains
• Large data transfers outside business hours
• Lateral movement between internal systems

Host-Based Indicators

• Unexpected process execution or services
• Modified system files or unauthorized software
• Unusual login patterns (time, location, frequency)
• Disabled security tools or logging
• Unexpected scheduled tasks or cron jobs

Severity Classification

Level 1 (Critical): Active data breach, ransomware, compromised admin accounts
  → Response: Immediate, all-hands, 24/7 until resolved
  → Notification: Executive team, legal, potentially regulators

Level 2 (High): Confirmed malware, unauthorized access, data exfiltration attempt
  → Response: Within 1 hour, dedicated team assigned
  → Notification: IT management, security team

Level 3 (Medium): Suspicious activity, policy violations, phishing attempts
  → Response: Within 4 hours, during business hours
  → Notification: Security team, affected department

Level 4 (Low): Failed attacks, vulnerability discoveries, minor policy violations
  → Response: Next business day
  → Notification: Security team for tracking

Phase 3: Containment

The goal is to stop the bleeding without destroying evidence. There are two sub-phases:

Short-Term Containment

Immediate actions to limit damage:

# Isolate affected system (keep it running for evidence)
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

# Or use network-level isolation
# Move to quarantine VLAN via switch configuration

# Block malicious IPs at firewall
iptables -A INPUT -s 203.0.113.50 -j DROP

# Disable compromised accounts
passwd -l compromised_user
# Or in Active Directory:
# Disable-ADAccount -Identity compromised_user

Long-Term Containment

Sustainable measures while you investigate:

• Apply emergency patches to exploited vulnerabilities
• Implement additional monitoring on affected systems
• Reset credentials for affected accounts and services
• Deploy temporary firewall rules
• Set up enhanced logging on related systems

Evidence Preservation

# Create forensic image before any changes
dd if=/dev/sda of=/forensics/system_image.dd bs=4M status=progress

# Capture volatile data
date > /forensics/volatile_data.txt
ps auxf >> /forensics/volatile_data.txt
netstat -tulnp >> /forensics/volatile_data.txt
cat /proc/meminfo >> /forensics/volatile_data.txt
last -a >> /forensics/volatile_data.txt
history >> /forensics/volatile_data.txt

# Calculate hash for integrity
sha256sum /forensics/system_image.dd > /forensics/image_hash.txt

Phase 4: Eradication

Remove the threat completely:

• Identify and remove all malware and backdoors
• Patch exploited vulnerabilities across all affected systems
• Reset all potentially compromised credentials
• Review and clean affected accounts and permissions
• Scan all systems for additional indicators of compromise
• Update firewall rules and IDS/IPS signatures

Common Mistakes During Eradication

• Rebuilding too fast — Ensure you've found all entry points before rebuilding
• Missing persistence mechanisms — Check cron jobs, startup scripts, registry keys
• Forgetting lateral movement — The attacker may have spread to other systems
• Not changing all credentials — Attackers often harvest multiple credential sets

Phase 5: Recovery

Restore systems to normal operations carefully:

Recovery Steps

1. Rebuild affected systems from clean images or trusted backups
2. Apply all patches and hardening before reconnecting to network
3. Restore data from verified clean backups
4. Monitor recovered systems intensively for 30-90 days
5. Gradually restore normal access and operations
6. Validate system integrity before full production use

Recovery Monitoring Checklist

□ Enhanced logging enabled on all recovered systems
□ IDS/IPS rules updated with IOCs from this incident
□ Network traffic baseline re-established
□ User access reviewed and re-authorized
□ Backup integrity verified
□ External vulnerability scan completed
□ Penetration test scheduled (within 30 days)

Phase 6: Lessons Learned

This phase is often skipped but is arguably the most valuable. Hold a post-incident review within 1-2 weeks:

Post-Incident Review Questions

• What happened? (Timeline of events)
• How was it detected? Could we have detected it earlier?
• Were our containment measures effective?
• What tools or access did we lack during response?
• How well did communication work?
• What would we do differently?
• What improvements should we prioritize?

Document Everything

Create a formal incident report including:

• Executive summary
• Detailed timeline of events and response actions
• Root cause analysis
• Impact assessment (systems, data, business operations)
• Response effectiveness evaluation
• Recommended improvements with owners and deadlines

Testing Your IR Plan

An untested plan is just a document. Schedule regular exercises:

• Tabletop exercises (quarterly) — Walk through scenarios as a team discussion
• Simulation drills (bi-annually) — Practice actual response procedures
• Full-scale exercises (annually) — Test the entire response chain end-to-end

Conclusion

Building an incident response plan doesn't have to be overwhelming. Start with the basics: know who to call, what to do first, and where your critical assets are. Then iterate — each incident (or exercise) teaches you something new. The organizations that handle breaches best aren't the ones that never get breached; they're the ones that prepared for it.

Your first step today: identify your top 5 critical assets and ensure you have current, tested backups for all of them. That single action will put you ahead of most organizations.