→
The incident phases
The phases are the periods a company moves through to handle an attack — outlined here from experience and the textbook. NIST uses 4 phases; SANS uses 6.
| Phase | What happens |
|---|---|
| Preparation | Peace-time. Prepare tools (hardware + software) and all documents — governance, IT security policy, contingency and crash plans. The link to governance lives here. |
| Identification & Analysis | Something goes wrong. Triage whether it is a security incident or an ordinary crash. Collect data, identify how the attacker got in, analyse malicious file behaviour, domains and IPs contacted. |
| Containment (Lockdown) | Use what you have learned to block the attack — block domains/IPs in DNS, firewall, proxy; block files in anti-malware; detect by hash; alert on patterns with YARA; close shared drives to stop spread. |
| Recovery (Restore) | Identify day zero — the date the incident began — so you can restore from before that point. |
| Monitoring | For larger attacks, run an intensified monitoring period (days to months). If something recurs, lock the environment down again to stop re-infection. |
| Back to normal (Lessons Learned) | Resume normal operations, hold a retrospective, capture what went well or badly, and feed it into the plans — driving Continual Service Improvement. |
→
Going back is allowed
If you discover something was missed, or new data appears, nothing stops you from going back and re-analysing the malware or artifact. The phases are a cycle, not a one-way street.