Incident Response
Incident Response (IR) is the structured process for detecting, containing, resolving, and following up on cybersecurity incidents. A well-prepared IR process determines the extent and duration of the damage caused by an attack.
Table of Contents (3 sections)
Incident Response (IR)—also known as incident response or emergency management—refers to all activities an organization undertakes when a cybersecurity incident is detected or suspected. The key factor distinguishing a minor incident from a crisis that threatens the organization’s survival is the quality of its preparedness.
According to the IBM Cost of a Data Breach Report 2024, companies with a well-developed IR plan incur average damage costs of $2.66 million per incident—compared to $5.37 million for companies without an IR plan. Statistically, the IR plan saves over $2.7 million per incident.
The PICERL Model
PICERL is the most widely used IR lifecycle model (according to SANS) and comprises six phases:
P - Preparation
The most important phase—it takes place before the incident. No preparation means chaos when the crisis hits.
Documentation & Planning:
- IR Plan: Who does what, in what order, using which tools?
- Runbooks/Playbooks: Scenario-specific step-by-step instructions (ransomware, data breach, account compromise)
- Communication Matrix: Internal escalation paths, external contacts (BSI, BKA, data protection authority, law enforcement, insurance, lawyer, PR)
- Crisis exercises: Tabletop exercises and technical simulations
Technical preparation:
- SIEM with documented use cases and alert rules
- Endpoint Detection & Response (EDR) on all systems
- Centralized logging (retention for at least 12 months)
- Offline backups with tested recovery procedures
- Forensic readiness: blockers, write protectors, forensic imaging software
I - Identification
Detection and initial assessment of the incident. Common sources of detection:
- SIEM alerts and SOC monitoring
- EDR alerts (behavioral anomalies, malware detection)
- Employee reports ("my computer is acting strangely")
- External notifications (BSI CERT-Bund, ISAC partners, customers)
- Ransomware notification on the screen (unfortunately, often only at this stage)
Critical initial questions:
- What exactly happened? When was it discovered?
- Which systems, users, and data are affected?
- What is the current status of the attack? Is the attack still ongoing?
- Is this a targeted or untargeted attack?
Classification: Not every security event is an incident. A clear classification matrix (severity levels 1–4 or P1–P4) prevents alarm fatigue and ensures that critical incidents are immediately given the appropriate priority.
C - Containment
Preventing further spread. Two strategies:
Short-Term Containment: Immediate measures that limit the damage but disrupt operations as little as possible:
- Isolate the network segment (VLAN switch)
- Lock affected accounts or reset passwords
- Disable affected service
- Do not shut down – volatile memory contains forensic evidence
Long-Term Containment: Stabilization measures while remediation is prepared:
- Apply patches or activate workarounds
- Increased monitoring on all systems
- Harden exposed systems
Critical Point: Mistakes are often made in this phase—shutdowns that are too early or too extensive destroy forensic evidence and can unnecessarily interrupt business processes.
E - Eradication
Complete removal of the attacker and their tools. Typical measures:
- Complete forensic analysis of compromised systems (malware search, IOC extraction)
- Reinstallation of compromised systems (reimaging—cleaning alone is not sufficient for APTs)
- Closing all known and probable entry points
- Reset all compromised credentials—and more if in doubt
- In case of AD compromise: Reset KRBTGT twice, perform forensic AD analysis
Common mistake: Eradication too early without a complete understanding of the scope of the attack—the attacker has backdoors that were not removed and will return.
R - Recovery
Return to normal operations - gradually, with increased monitoring.
Define recovery criteria: When can a system be considered "clean"? What criteria determine when a system is returned to production?
Prioritization: Restore critical business processes first. Determine the restoration order in advance via a Business Impact Analysis (BIA).
Increased Monitoring: Maintain heightened vigilance for at least 30–90 days following a major incident—attackers frequently return to known targets.
L - Lessons Learned (Follow-up)
The most frequently skipped phase, yet the most important for organizational development.
Post-Incident Review (within 2 weeks of incident resolution):
- What happened? (Timeline)
- How did the attacker gain initial access? Could it have been prevented?
- What worked well? What didn’t?
- Which detection rules are missing?
- Which playbooks need to be created or improved?
- What technical improvements are necessary?
Result: Updated IR plan, new SIEM use cases, concrete hardening measures with assigned responsibilities and deadlines.
Reporting Requirements in Germany
Certain incidents are subject to legal reporting requirements:
| Law | Affected Parties | Deadline | Reporting Authority |
|---|---|---|---|
| GDPR | All companies handling personal data | 72 hours | State Data Protection Authority |
| NIS2 / BSIG | KRITIS operators, critical infrastructure operators | 24-hour early warning, 72-hour notification | BSI |
| DORA | Financial institutions | 4-hour initial notification, 72-hour report | BaFin |
Internal Team vs. External IR Service Provider
In-house IR capacity (recommended for ~200+ employees):
- Advantages: Knowledge of the infrastructure, rapid availability, familiarity with business processes
- Disadvantages: High costs for 24/7 on-call support, building expertise takes years
External IR retainer (recommended for SMEs): A pre-signed contract with an IR service provider guarantees priority availability in an emergency. Costs: typically €15,000–€40,000/year for a retainer contract that can be activated immediately in an emergency—significantly cheaper than an unplanned engagement during a crisis (€2,000–€5,000/day).
Further information: AWARE7 Incident Response Consulting
Sources & References
- [1] NIST SP 800-61r2 - Computer Security Incident Handling Guide - National Institute of Standards and Technology
- [2] BSI - IT-Grundschutz Baustein DER.2.1 Incident Management - Bundesamt für Sicherheit in der Informationstechnik
- [3] SANS Incident Handler's Handbook - SANS Institute
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Dipl.-Math. (WWU Münster) und Promovend am Promotionskolleg NRW (Hochschule Rhein-Waal) mit Forschungsschwerpunkt Phishing-Awareness, Behavioral Security und Nudging in der IT-Sicherheit. Verantwortet den Aufbau und die Pflege von ISMS, leitet interne Audits nach ISO/IEC 27001:2022 und berät als externer ISB in KRITIS-Branchen. Lehrbeauftragter für Communication Security an der Hochschule Rhein-Waal und NIS2-Schulungsleiter bei der isits AG.
3 Publikationen
- Different Seas, Different Phishes — Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Self-promotion with a Chance of Warnings: Exploring Cybersecurity Communication Among Government Institutions on LinkedIn (2024)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
