Cyber Incident Lifecycle

// attack chain · response phases · IR process — click any phase to expand
Attack Chain Response IR Process
6-Step Incident Response Process (NIST SP 800-61)
01
🔍
Preparation
Before the breach — build the muscle memory
  • IR plan documented and tested
  • Roles and responsibilities defined
  • Tabletop exercises run regularly
  • Tools and access provisioned in advance
  • Communication trees established
  • Legal, comms, DPO contacts ready
⏱ Ongoing
02
🚨
Detection & Analysis
Something's wrong — understand what and how bad
  • Validate the alert is real (not false positive)
  • Classify severity and incident type
  • Identify patient zero and entry vector
  • Preserve evidence immediately
  • Notify incident commander and stakeholders
  • Open incident log and timeline
⏱ Minutes to hours
03
🔒
Containment
Stop the spread — isolate without destroying evidence
  • Short-term: isolate affected hosts
  • Block C2 IPs and malicious domains
  • Disable compromised accounts
  • Long-term: segment network
  • Notify legal re: evidence handling
  • Start ICO 72-hr clock if data breached
⏱ Hours to days
04
🧹
Eradication
Remove the attacker — completely, not partially
  • Remove malware and all persistence mechanisms
  • Patch or close the initial access vector
  • Reset all compromised credentials
  • Rebuild from clean golden images
  • Verify no backdoors or web shells remain
  • Confirm attacker has no remaining access
⏱ Hours to days
05
🔄
Recovery
Restore operations — carefully and monitored
  • Restore from verified clean backups
  • Staggered reconnection to network
  • Heightened monitoring post-recovery
  • Test systems before returning to production
  • Validate backup integrity before relying on it
  • Update stakeholders and close comms loop
⏱ Days to weeks
06
📋
Post-Incident Review
Learn and improve — the most skipped step
  • Full timeline and root cause documented
  • Detection gaps identified
  • Playbooks updated based on findings
  • Actions assigned with owners and dates
  • Regulatory reporting completed
  • Lessons fed into next tabletop exercise
⏱ Within 2 weeks
The 6-step process maps to NIST SP 800-61 Rev 2 and is aligned with NCSC Incident Management guidance. Steps 1–2 happen before and at the start of an incident. Steps 3–5 are the active response. Step 6 closes the loop — it's the phase most organisations skip under time pressure, and the one that most determines long-term resilience. Preparation (step 1) is the force multiplier: every hour invested before an incident saves ten during one.
Full Attack & Response Lifecycle — click any phase to expand
The attack phases map to the MITRE ATT&CK framework and the Lockheed Martin Cyber Kill Chain. The response phases align with NIST SP 800-61 and NCSC Incident Management guidance. Understanding both chains together is what turns reactive firefighting into a structured, repeatable response capability.
// cyber incident lifecycle — v2.0 MITRE ATT&CK · NIST SP 800-61 · NCSC Incident Management