Incident Response Process (Part 2) (Domain 4)
Following detection and analysis, the next phases in an incident response plan are containment, eradication, and recovery—critical steps that stop the spread of an attack and restore operations. Containment involves isolating affected systems, blocking malicious traffic, disabling compromised accounts, and ensuring the attacker cannot escalate further. Eradication is the process of removing malware, deleting backdoors, or addressing vulnerabilities that allowed the intrusion in the first place. Once cleared, recovery begins with restoring clean systems from backup, re-establishing connectivity, and validating that services are functioning properly without residual threats. We also stress the importance of continuous communication with stakeholders during this phase—both technical and non-technical. These steps must be guided by tested procedures, timing, and verification to prevent reinfection or further damage.
