The 6 Phases Of Action-plan For Cyber Incident Response Plan By MIRAT

Cyber SecurityIncident Management

Written by:

The 6 phases of an IT IR plan for the Information Technology Incident Response plan by MIRAT is a documented strategy for IT Teams referring to software information security incidents.

An emergency IT IR plan should have been set up in phases to deal with a suspected data breach. It’s important to keep in mind that different areas of need should be addressed at different times.

Read on to know what the phases of the IT IR plan or Information Technology Incident Response plan offered by MIRAT:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Conclusions Drawn from Experience


In the event of a cyberattack, the IR team’s first step in a cyber incident response plan should always be thorough preparation. Prior to an incident occurring, establish appropriate procedures and equip yourself with the necessary tools. The following are the major steps involved in the cyber incident response plan process:

Identifying and protecting your most valuable assets with all of your might, and • Analyzing data gathered from previous incidents

It would be helpful if you had a few key tools and resources on hand for a cyber security incident response plan. You’ll need a wide variety of weapons on hand. For example, if one of your communication or coordination mechanisms fails, your organization should have several different mechanisms available for communication and coordination.

After that, you’ll conduct simulation exercises to perfect your IR team as part of the cyber security incident response plan. A variety of simulation exercises keep the team apprised of the breadth of their responsibilities on a regular basis.

Identification -Recognizing the Problem

The second stage of the cyber IR plan begins with the discovery of the actual occurrence. You can begin by responding to the question: Is this behavior unusual? Then look at the impacted areas of your network or system once the incident type was determined. In other words, you’ll be on the lookout for unusual activity, such as unusual login attempts, new files that shouldn’t have been there, and so on. Evaluate the situation to the fullest extent possible because doing so simplifies the process of executing the cyber IR plan later on.

It helps you resolve the current situation, but information and insights from your assessment can be kept for future use as well. An incident-type evaluation follows a situational assessment. In most cases, an incident can be classified into one of the following six groups:

  • Unauthorized use or entry
  • Refusal to supply services
  • Code that is malicious
  • Inappropriate application of the concept
  • Attempts to gain access via scanning, probing, or other means
  • an incident requiring an investigation of sorts

The entire process is simplified, thanks to incident identification as part of the cyber security IR plan. There are three main reasons for this situation to arise:

  • Incident detection at various levels of detail using a variety of methods. These are also classified as automatic or manual detection. Automated detection is equipped with tools such as IDPs, security software, and document analyzers that can be used on both the network and the host. On the other hand, manual detection (where most of the issues arise) can either detect it or not.
  • A large number of signs that an incident may occur. The average large company receives hundreds of thousands of intrusion prevention sensor alerts each day.

In order to accurately and efficiently execute the cyber security IR plan and analyze the incident-related data, it is necessary to have a specialized practical understanding and extensive experience.


The IR team should focus on containing the threat to prevent further damage after gathering sufficient information about what happened. This phase should begin with isolating the infected system from the computer system and fully backing all the system’s sensitive data.

After that, you can try a short-term fix to prevent the problem from getting worse. This phase’s primary objective is to reduce the incident’s size and scope. Verify that the highly contagious system or network is up and running.


Option 1: You can unplug the infected machine and leave it to carry on its own business.

Option 2: Immediately disconnect the entire system.

Option 3: Allow the system to run normally while you continue to keep tabs on it.

All of these are viable options for dealing with the problem at hand.


The IR team must also focus on finding a long-term solution that restores all the directly impacted entities.

On the other hand, Eradication is a straightforward procedure that removes the infection from your contaminated network or system. After all other public and private actions have been completed, only then should this phase begin. The following are the two most critical elements of this stage:

Clean-up: When cleaning up, make sure to use robust anti malware and antivirus operating systems, remove infected software, reboot or change the original operating system and hardware, and rebuild the network if necessary (depending on the severity of the attack).

Notification: Notify all those in the chain of command which might be affected.

Multiple “playbooks” for common incidents should be created to aid the IR team in adopting a standardized approach to the event.

Recovery Phase-

Bringing back to life the malfunctioning device or network will also be the final step in this process. This phase takes care of everything, from recovery services to any surviving restoration efforts. There are two steps to this process:

As planned, the company’s services have been restored.

Validating the system/network to ensure it is fully functional.

Here, the highly infectious entity is reconditioned as secure and functional.

Lessons Learned–

Remember, after the investigation, file all the proof away-we mean record everything.

After this, your organization will be better equipped to deal with any possible attacks and will be able to extract more value from the ones you’ve already had. After an incident has been successfully handled, the IR team should set up a review meeting to identify any necessary improvements to the security controls and practices already in place. The use of such regular meetings can actually help to reduce the number of accidents. Ensure that the entire review meeting aids you in identifying current security flaws and policy and procedure deficiencies. As a result of the discussions that took place, you have the option to alter your current internal relations strategy. Your IR team’s evolution will reflect current threats and technological improvements as a result of this step. Using this comprehensive guide, new team members can be properly trained. End up creating a follow-up report after each incident as the final step.

MIRAT is now an artificial intelligence-driven cloud software capable of providing all the packaged tools under one license, offering centralized self-service capabilities with No/minimum staff and remote monitoring capabilities that presently no other competitor is able to serve. The USP of MIRAT is “Automation” of IT infrastructure management that is highly aligned with ITIL and current trends.’s IT Infrastructure Management is Affordable & Easy to use! Get your Dashboard ready in only 5 Minutes. Request for Trial/Demo now (or) Contact our Team Now .

Contact Information:

Sales Executive
Phone: +1-315-636-4213

Comments are closed.