Incident Response: A Step-by-Step Guide

Someone clicks a phishing link. Or your server starts behaving strangely. Or you get a call from the FBI saying your network is attacking others.

This is an incident. Not every incident is a disaster, but every incident needs a response.

Most SMBs either ignore it ("probably nothing") or panic ("call everyone"). Neither works. You need a process.

What this solves

Contains damage quickly. The faster you isolate an issue, the less it spreads.

Preserves evidence. If this is a breach, you need logs and files intact for investigation.

Gets systems back online. Business continuity, not just forensics.

Meets compliance requirements. HIPAA, PCI-DSS, cyber insurance — all expect documented incident response.

Protects customers and partners. They deserve to know when their data might be affected.

What can go wrong

Delaying response. "Let's wait and see" is the most expensive decision you can make during a breach.

Changing or deleting evidence. Files get cleaned, logs rotate, malware gets deleted. Now you can't figure out what happened.

Restoring from backup before understanding the scope. You wipe a server to "fix" it, then discover the attacker was in your network for three months. Now your backup is also compromised.

Over-restricting access. Locking everyone out of systems during an incident causes new problems.

Not documenting. You fix it. You forget how. Next time you start from scratch.

Incident response phases

Phase 1: Detection and identification (0-30 minutes)

Confirm it's real. Is this a real attack, or a failed update? A configuration error, or actual malicious activity?

Scope it quickly. How many systems? What type of activity? Is it spreading?

Preserve evidence. Take screenshots, export logs, image affected systems if possible. Do this before you fix anything.

Phase 2: Containment (30 minutes - 2 hours)

Isolate affected systems. Disconnect from the network. Block suspicious IPs. Disable compromised accounts. This stops the bleeding.

Preserve business operations. Can the rest of the business keep running? Redirect traffic? Workaround the affected system?

Escalate if needed. If you don't have internal expertise, call in help. If it's a breach with data loss, consider legal counsel and cyber insurance notification.

Phase 3: Eradication (2-24 hours)

Remove the attacker. Close the entry point. Change compromised credentials. Remove malware. Patch the exploited vulnerability.

Verify removal. Confirm the attacker is gone. Check for backdoors. Scan for persistence mechanisms.

Update defenses. If a vulnerability was exploited, patch it. If a credential was compromised, rotate it across all systems.

Phase 4: Recovery (24-72 hours)

Restore systems. From clean backups if needed. Verify restored systems are clean.

Monitor closely. After an incident, expect follow-up attempts. Watch for unusual activity.

Resume normal operations. Bring systems back online in a controlled manner. Test before fully opening.

Phase 5: Lessons learned (within 1 week)

Document the incident. Timeline, what happened, what you did, what worked, what didn't.

Identify gaps. How did they get in? What controls failed? What needs to change?

Implement fixes. Prioritize based on what you learned.

What it costs (honest ranges)

Internal response (if capable): Staff time only. But requires training and preparation.

Forensic consultant (specialized incident response firm): $5,000-$25,000 for a typical SMB incident. Includes investigation, evidence preservation, and remediation guidance.

Legal counsel for breach notification: $3,000-$15,000 depending on scope and jurisdiction. Required for most breach notifications.

Credit monitoring for affected individuals: $10-$30 per person per year. Required by some regulations after data breaches.

Cyber insurance claim handling: Usually covered, but expect a deductible of $1,000-$10,000 depending on your policy.

Minimum viable implementation

1. Designate an incident commander. One person who owns the incident, makes calls, and coordinates response.

2. Create a contact list. Who do you call? IT vendor, cyber insurance, legal counsel, key employees. Have numbers before you need them.

3. Preserve evidence first. Before you fix anything, screenshot and export what you can.

4. Contain aggressively. Disconnect affected systems. Change passwords. Block IPs. You can reconnect later.

5. Communicate. Internal stakeholders, external customers if affected. Don't surprise anyone.

6. Document everything. Every action, every decision, every timestamp.

Vendor questions (copy/paste)

Ask your IT vendor or MSP:

• Do you have an incident response process?
• What's your response time for security incidents?
• Do you have forensic capabilities, or do you bring in a separate firm?
• Have you handled incidents like ours before?
• Do you coordinate with our cyber insurance carrier?

Ask your cyber insurance carrier:

• What's the process to open a claim?
• Do you provide incident response resources as part of coverage?
• What's covered and what's excluded?

When to hire help

Any suspected data breach. If customer data was accessed, you need legal guidance on notification requirements.

Ransomware attack. This is specialized. Don't try to handle this without experienced help.

Active attacker in your network. If you see evidence of persistent access, assume you don't know the full scope.

You're not sure what happened. A good forensic response tells you the full scope, not just the obvious problem.

---

Incident response isn't about being perfect. It's about being prepared enough to respond quickly, contain damage, and learn from what happened. Do it right the first time, and you limit the cost.