In this section, we’re going to describe the general steps in the process of handling an incident. The process starts at the point when the incident is detected, whether by a human noticing and reporting an anomaly or by an automated detection system alerting the operator to a problem. For the purposes of this discussion, we don’t care how the incident is reported, only that it is. We should point out, though, that almost every incident we’ve worked on was detected and reported by a person. We’ll also emphasize that the word “reported” in the previous sentence is not to be taken lightly. It is rare indeed to find an employee who diligently reports system security anomalies. With that out of the way, let’s begin the fun stuff. The sirens are blaring, and your emergency team has been dispatched!

There are five distinct phases to the incident response process. In the next few pages, we briefly summarize them and provide readers with additional food for thought regarding how to approach incident response activities. The five steps are Incident Identification, Coordination, Mitigation, Investigation, and Education, as shown in Figure 6-1.

Figure 6-1. The five steps of incident response