{"id":7843,"date":"2026-02-22T19:29:06","date_gmt":"2026-02-22T17:29:06","guid":{"rendered":"https:\/\/scalemedia.co.za\/cybermedia\/?post_type=docs&#038;p=7843"},"modified":"2026-02-22T19:29:08","modified_gmt":"2026-02-22T17:29:08","password":"","slug":"incident-handling-process-overview","status":"publish","type":"docs","link":"https:\/\/scalemedia.co.za\/cybermedia\/docs\/incident-handling-process-overview\/","title":{"rendered":"Incident Handling Process Overview"},"content":{"rendered":"\n<p>Now that we are familiar with the Cyber Kill Chain and its stages, we can better predict and anticipate the next steps in an attack and also suggest appropriate measures against them.<\/p>\n\n\n\n<p>Just like the Cyber Kill Chain, there are different stages when responding to an incident, defined as the&nbsp;<code>Incident Handling Process<\/code>. The&nbsp;<code>Incident Handling Process<\/code>&nbsp;defines a capability for organizations to prepare, detect, and respond to malicious events. Note that this process is suited for responding to IT security events, but its stages do not correspond to the stages of the Cyber Kill Chain in a one-to-one manner.<\/p>\n\n\n\n<p>As defined by NIST, the incident handling process consists of the following four distinct stages:&nbsp;<img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/ir-lifecycle.png\" alt=\"Incident response process flowchart: Preparation, Detection &amp; Analysis, Containment Eradication &amp; Recovery, Post-Incident Activity.\"><\/p>\n\n\n\n<p>Incident handlers spend most of their time in the first two stages,&nbsp;<code>preparation<\/code>&nbsp;and&nbsp;<code>detection and analysis<\/code>. This is where we, as incident handlers, spend much time improving ourselves and looking for the next malicious event. When a malicious event is detected, we move on to the next stage and respond to the event (but there should always be resources operating in the first two stages, so there is no disruption of preparation and detection capabilities). As we can see in the image, the process is not linear but cyclic. The main point to understand at this stage is that as new evidence is discovered, the next steps may also change. It is vital to ensure that we don&#8217;t skip steps in the process and that we complete a step before moving on to the next one. For example, if we discover ten infected machines, we should certainly not proceed with containing just five of them and starting eradication while the remaining five stay in an infected state. Such an approach can be ineffective because, at the bare minimum, we are notifying an attacker that we have discovered them and that we are hunting them down, which, as we can imagine, can have unpredictable consequences.<\/p>\n\n\n\n<p>So, incident handling has two main activities, which are&nbsp;<code>investigating<\/code>&nbsp;and&nbsp;<code>recovering<\/code>. The investigation aims to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Discover<\/code>\u00a0the initial &#8216;<code>patient zero<\/code>&#8216; victim and create an ongoing (if still active) incident timeline.<\/li>\n\n\n\n<li>Determine which\u00a0<code>tools<\/code>\u00a0and malware the adversary used.<\/li>\n\n\n\n<li><code>Document<\/code>\u00a0the compromised systems and what the adversary has done.<\/li>\n<\/ul>\n\n\n\n<p>Following the investigation, the recovery activity involves&nbsp;<code>creating and implementing a recovery plan<\/code>. Once the plan is implemented, the business should resume normal operations, if the incident caused any disruptions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Now that we are familiar with the Cyber Kill Chain and its stages, we can better predict and anticipate the next steps in an attack and also suggest appropriate measures against them. Just like the Cyber Kill Chain, there are different stages when responding to an incident, defined as the&nbsp;Incident Handling Process. The&nbsp;Incident Handling Process&nbsp;defines&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"doc_category":[44],"doc_tag":[],"class_list":["post-7843","docs","type-docs","status-publish","hentry","doc_category-incident-handling-process"],"year_month":"2026-04","word_count":410,"total_views":0,"reactions":{"happy":0,"normal":0,"sad":0},"author_info":{"name":"admin","author_nicename":"admin","author_url":"https:\/\/scalemedia.co.za\/cybermedia\/author\/admin\/"},"doc_category_info":[{"term_name":"Incident Handling Process","term_url":"https:\/\/scalemedia.co.za\/cybermedia\/docs-category\/incident-handling-process\/"}],"doc_tag_info":[],"_links":{"self":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/comments?post=7843"}],"version-history":[{"count":1,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7843\/revisions"}],"predecessor-version":[{"id":7844,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7843\/revisions\/7844"}],"wp:attachment":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/media?parent=7843"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_category?post=7843"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_tag?post=7843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}