The Six Stages of Incident Response

Cyber Security

The Six Stages of Incident Response

Incident Response is an essential part of protecting your business. Below we look at the six-step process and use compromised email software as an example 

What is Incident Response 

Incident Response is preparing for the unexpected. 

It is a set of procedures aimed at identifying and responding to potential threats to your business. 

A well-crafted Incident Response plan contains strategies to prevent incidents from occurring, and steps to manage and address the aftermath if they do. 

Incident Response can be broken down into a six-step process: 







These six steps are the best steps to take to protect your business: 

Still, businesses must be aware that no Incident Response plan should look the same. 

How you respond to a power outage will look different from how you react to a cyber attack. 

The Six Stages of Incident Response 

Incident Response requires a tailored plan for any possible incident, as no two situations can be responded to in the same way. 

However, all plans should follow the general steps outlined below. 

91% of all cyber attacks start with a phishing email and will be used as an example to demonstrate the six stages of Incident Response.

🔎 Identify

The most significant part of Incident Response planning is identifying and prioritising your systems. 

The hardest part is getting started. 

Essential questions to ask yourself at this phase include 

💡 What technology do I and my employees rely on in order to effectively run our day-to-day operations?? (e.g. Internet)

💡What if this technology stops working, can we continue to operate without it? (e.g. Payroll system is online could you create checks by hand?)

💡If not, how long can we operate without it? (e.g. paying staff?)

💡How does it affect your employees, your finances, and your customers? (e.g. employees will quit)

Evaluate your assets and identify what type of protection is necessary to protect them. You could do this by answering these questions:

💡What kind of data do we store?

💡Whose data is it—ours or somebody else’s?

💡What would the consequences be if the data were hacked or lost?  

At this stage, you should clearly understand where your business’s weaknesses lie. This will help you understand which incidents are most likely to occur.

✅ Sorbis Tips for Managing Email Compromises 

91% of all cyber attacks start with a phishing email. The best way for managing an email compromise is to prevent it from happening in the first place. 

💡Good housekeeping is key. Keep your email system up to date by auditing your email systems regularly for unused accounts and disabling or deleting them if they’re no longer needed. Many email compromises occur due to old or unused email accounts. If you don’t need the account, don’t create it

💡Engage other members of the organization to get more input.

💡Make a possibly serious situation fun. Role-play an email compromise scenario to get everyone thinking. This will help you get a few levels down with identifying how a real compromise will affect your organization. 


By thoroughly identifying your business’s weaknesses and blind spots in the first phase, you can implement strategies to protect your business and avoid incidents from having lasting impacts on your systems and procedures. 

Protection strategies include:  

⚙️Using backups. 

⚙️Implementing security controls like firewalls. 

⚙️Training employees on security best practices.

✅ Sorbis Tips for Managing Email Compromises 

To protect your business from email compromises, you might implement the following tactics: 

⚙️Make sure your email system is configured properly and MFA is installed on all licensed accounts, and shared mailboxes are configured to block access.

⚙️Implement Microsoft Defender for 365 

⚙️Implement email tagging. These are messages you see on emails like “this email originated outside the organization”. It’s simple to do and free to set up on Microsoft 365 and Gmail. 

⚙️Implement a cyber security awareness program for your organization. Awareness is the #1 deterrent against cybercrimes. 


Once you have identified your business’s vulnerabilities and put measures in place to protect them, you should be able to detect threats relatively quickly. 

Setting up procedures and systems to actively monitor your assets and identify unusual activity is vital at this phase. 

Detecting irregularities quickly—such as an email that just doesn’t look right—is essential to limiting the damage and getting your systems back up and running.

A key part of detection is ensuring that all your employees are trained to identify potential threats. 

✅ Sorbis Tips for Managing Email Compromises 

In the case of an email compromise, you may have the following detection procedures in place:

       🔦 Awareness training is vital, so your team is educated and can detect a possible compromise.

      🔦Configure your email system to alert you for suspicious activities such as creating forwards or logins from unexpected locations. 


You need to have a plan to respond to detected cyber incidents to ensure that your business does not experience lasting effects. 

This plan should include strategies for containment, investigation, and resolution.

It’s critical to ensure that all staff are aware of the incident response plan and know their roles and responsibilities in the event of an incident.

When creating your response plan, regardless of what the incident is, ask the following questions: 

💡How quickly can we isolate and cut off impacted systems?

💡Do we have an emergency backup procedure in place?

💡What systems contain the most sensitive data?  

💡Do we have a 24/7 response team available?

✅ Sorbis Tips for Managing Email Compromises 

In the case of an email compromise, here is a possible response strategy: 

      👨‍💻 Block Access

      👨‍💻 Check and remove Illicit Consent Grant

      👨‍💻 Check and remove malicious Inbox Rules

      👨‍💻 Determine who should be contacted based on the incident, your cyber insurance carrier, the authorities (do you have their contact information), and of course clients that were affected by a mass email.  

      👨‍💻Communicate timely, honestly, clearly, and often with everyone affected by the incident.Do not say anything you are uncertain about. Just the facts. 


Following any incident, businesses must have a plan in place to resume normal business operations as soon as possible to avoid disruptions.

This phase is about restoring and returning affected or damaged systems and devices to your business environment.

A well-crafted incident response plan will help you resolve an incident, minimize the damage caused and restore normal operations quickly and effectively.

Steps to include in your recovery plan: 

⚙️Restoring systems affected by the attack.

⚙️Implementing security controls to prevent the incident from happening again.

⚙️Contact your cyber insurance company 

⚙️Take legal action against perpetrators.

✅ Sorbis Tips for Managing Email Compromises 

In the case of an email compromise, the following steps may aid in recovery: 

  1. If the compromise is significant, it is best to contact your insurance carrier for direction. 
  2. Back up the affected user’s mailbox in case it needs to be used for further investigation. 
  3. Change the password on the account and make sure MFA is enabled on the account. 


The sixth step is an added layer of reflection. When you have experienced an incident, the goal is to prevent them from happening again. 

It is essential to understand what happened and why so that you can do better next time and minimize the risk of the incident occurring again. 

When looking at an incident that has occurred, ask yourself: 

💡What happened?

💡Why did it happen?

💡How did we handle it?

💡How can we prevent this from occurring again?

💡How can we do better next time?

You will also want to find out the answers to these questions and document them:

💡Who has access to the infected servers?

💡Which network connections were active when the incident occurred?

💡How was the incident initiated?

An incident response plan should be reviewed and updated regularly to remain relevant and practical. Cyber incidents can occur anytime, so it’s crucial to be prepared.

✅ Sorbis Tips for Managing Email Compromises 

📋Update everyone on the details of the incident as they are known

📋Determine if additional preparation could have prevented the incident, detected it sooner or expedited the incident response process

📋Determine if there were any difficulties or confusion in following this plan or related procedures

Work With an IT Service Provider Like Sorbis

Running a business is tough and cyber incident response planning can often fall to the bottom of priority lists.

Getting started is the hardest part, but we at Sorbis can help you by: 

  • Providing a weekly report that allows us to audit all the mailboxes.
  • Offering you cyber security awareness training to educate your team
  • Creating a plan to protect against phishing scams and other incidents
  • Creating and testing your backups regularly.

Get in touch with me, Gene, to discuss your cyber readiness needs or if you have any IT related questions!

Partner with us today so we can offer you the best way to shield your business against cyber incidents. 

Get in touch for more information, we’re always here to help. 

Share Article:

Related Posts
Cyber Essentials Starter Kit

Cyber Essentials Starter Kit

Cybersecurity & Infrastructure Security Agency (CISA) is part of the U.S. Department of Homeland Security. CISA developed this guide that Sorbis recommends everyone follow for implementing organizational cybersecurity.

The New York City Guide to IT Support Services and Fees

“Technology” can be vague, so it’s hard to know what you’re really going to get when you hire support.

This guide will help you compare apples to apples with confidence!