The more people are engaged on the internet, the more they are prone to cyberattacks. You might be searching for cyber security assistance. Cyber attacks can be anything from threatening a person online to hacking social accounts or devices. Victims report cybercrimes but the ratio is very low, especially in Asia. However, the concern is how to deal with cyber security issues.




This blog explains incident response and sans incident response steps in detail. It is very important for victims to learn how cybercrime cells act against their complaints. 


Incident Response: A quick overview


An ‘incident’ is anything that happens (negative connotation). And the ‘response’ is the reaction to any incident. So, ‘incident response’ in the context of cyber security is the action plan followed in response to a cyber security incident. Suppose, the incident has a high impact socially or nationally, a quick alert is issued and an immediate response is given to eliminate upcoming threats and overcome the damage. 

Remember, investigations are not mandatory for all of the cyber security events taking place. For example, 1 failed login attempt by an employee on grounds does not necessitate investigation. Such incidents investigations are not painstaking as well – can be handled easily. 

A list of event types that requires investigation should be accessible through your cybersecurity team. After that, you ought to have tailored sans incident response steps for any kind of incident.


Significance of Incident Response Steps


Be ready for a data leak since it is not a likely incident – it happens usually. So, work on ‘When’, and not ‘If’. Making an action plan while under the stress of a major crisis is never a good idea. For the time and effort you put out now, your future will thank you later.

On the involvement of a critical asset, when you acknowledge the high-risk profile of the incident, incident response can be stressful. In such stressful, high-pressure situations, sans incident response steps can help you get to control and recover more rapidly.  To minimize loss, response time is essential. Having a game plan already in place is essential for success when every second counts.


SANS Incident Response Steps


Have you heard of SANS before? What does it stand for? It stands for SysAdmin, Audit, Network & Security. It is a private company that offers security services and works on a standard incident response framework. Their incident response steps are accepted worldwide as they comply with industry standards.


sans incident response steps


There are 6 sans incident response steps. Let’s explore these steps in detail;

Step 1: Preparation – Assuring that the organization can swiftly and thoroughly respond to a situation/incident is the objective of the preparatory stage. Essential steps of the preparation stage are;

  • Defining the policy.
  • Designing response plan.
  • Making a communication plan.
  • Prepare documentation.
  • Make an action team – CSIRT.
  • Enable access to security tools for action team (CSIRT) members.
  • Train the action team – CSIRT training.
  • Assess, choose, and implement tools needed for an incident response action plan.


Step 2: Identification – This stage entails identifying deviations from the organization’s routine activities, figuring out whether the deviations signify security incidents, and estimating how influential the event is. Following are the steps involved in ‘Identification’. 

  • Vulnerable IT systems and infrastructures should be regularly monitored.
  • Staying alert to security notifications and regularly assessing incidents from different sources.
  • Incident identification and documentation.
  • CSIRT is notified and communicated through a special command center. 
  • Keeping a record of all the steps taken against an incident.
  • Abilities to detect and prevent threats across different attack channels. 


Step 3: Containment – Limiting harm from the existing security incident and averting further damage are the two objectives at this step. To fully address the incident and avoid the loss of potential prosecution-relevant evidence, many actions are required.

  • Short-term containment to limit damage prior to the incident gets more harmful.
  • Creating system backup for use in courts. 
  • Long-term containment – rebuild clean systems.


Step 4: Eradication – This step is directed to completely restore all damaged computers by deleting any malware or other artifacts that the attacks left behind.

  • Cleaning and re-imaging of affected hard disks.
  • Avoiding the potential risks and causative factors.
  • Implementing a basic security plan.
  • Scan the system with anti-malware softwares.


Step 5: Recovery – This step involves restoring the system to complete working after ensuring the system is clean and there is no remaining threat. 

  • Schedule restoration of the system.
  • Pre-testing and verification of the system prior to restoration. 
  • Keep the system under observation to assess for recurrent malware attacks and vulnerabilities.
  • Plan and implement anything possible to prevent recurrent attacks.


Step 6: Lessons Learned – The CSIRT should gather all applicable data regarding the incident, no later than 2 weeks after it has ended and draw lessons that can aid in future incident response work.

  • Complete the paperwork.
  • Publish the incident report answering all kinds of questions. 
  • Based on the incident report, determine how the CSIRT can perform better.
  • Define standards for comparison.
  • Arranging a meeting with the CSIRT team to discuss lessons learned from the incident. 


Take Away!


Sans incident response steps explained in this blog are of key importance in the context of cyber security systems. It is better to follow all the 6 steps, so there remain no more cybersecurity threats. 


Please enter your comment!
Please enter your name here