Skip to content

IR medium incident process

Incident Response - Medium Incident Process
Company Name

Overview

A Medium Incident requires full engagement by the CIRT, however the BIRT Lead and other team members will only be engaged as needed. The BIRT Lead will be engaged by the CIRT Lead and will determine whether additional team members need to be involved in the incident response. Other team members will be engaged by the BIRT Lead as needed.
The classification criteria for a Medium Incident are as follows:

Criticality Criteria Business Impacts Resources
Medium Malicious Code: Single malware variant on 10-24 hosts, Malware connection attempts on multiple hosts; Compromised Data: Data exfiltration identified from a single internal system, Internal compromise of breach of information with potential legal, privacy, or operational implications; Unauthorized Access: Unauthorized alteration or disabling of security controls, confirmed, unauthorized access to a non-privileged account, attempted unauthorized access, or changes, to a privileged account, successful phishing, or other social engineering attack(s); Denial of Service: Loss of availability affecting systems deemed P2 (Vital services) Likely loss of some transient data due to desktop/laptop replacements; Failure to meet internal SLAs; Fewer than 10 sites impacted; Customer Impacts: Single customer impacted; Out-of-band communication with customers required; Operational Impacts: Inability to monitor critical systems; Creation of reporting gaps; Possible Legal or Regulatory Impacts: Mandatory regulatory reporting; Potential for legal action, or legal action threatened CIRT

Although it may impact some areas of the organization’s business, a Medium Incident will not have material business and financial impact to the organization. It is still important to resolve the incident as quickly as possible however the impact of not doing so is not significant to the organization’s overall business.
A Medium Incident that is like previous incidents or that may occur again the future is a candidate for a Standard Incident. Upon completion of the incident, the IT Security Team may choose to complete a Standard Incident template for the incident. Additional details may be found in the Guideline - Standard Incident.

Roles and Responsibilities

  • Responsible: CIRT Lead
  • Accountable: BIRT
  • Consult: CIRT, SMEs
  • Inform: CIRT

CIRT

If a Medium Incident is restricted to one technology or area, The CIRT Lead may choose to engage only with the CIRT members whose knowledge is needed to handle the incident.
The CIRT Lead plays a critical role in all Medium incidents however it is important to note that the primary role of the CIRT Lead is to advise and recommend.
The BIRT Lead is accountable for determining the best course of action for the business based on the recommendations provided by the CIRT Lead and any additional information provided by team members.
While team members will be provided direction by the BIRT Lead, the CIRT Lead, with their better technical understanding, will still direct the team members to help them determine how best to meet the objectives given by the BIRT Lead.

BIRT

In the case of a Medium incident, the BIRT be responsible for determining the business respresentatives required to help with this specific incident.
The CIRT Lead will begin by convening the permanent members first who will then decide to manage the entire incident on their own or which additional members to activate.
All decisions related to what actions to take during a Medium incident will be made by the BIRT with input from the CIRT Lead and team members.
The CIRT Lead will provide recommendations, but all decisions will be made by the BIRT representative who has a best understanding of the business impact of any action.

Team Members

Team members provide the necessary detail to the BIRT Lead to enable them to make decisions regarding what steps should be taken during the containment, eradication, and recovery phases of the incident response. The team members will then be accountable to take steps as directed by the BIRT Lead to accomplish the objectives of the incident response.
The CIRT Lead will provide guidance to the team members to enable them to best achieve the objectives set out by the BIRT Lead, however all actions will be directed by the BIRT Lead.

Purpose

This document outlines the key steps in the Medium Incident Response process with additional information provided by the guidelines for the key steps of Containment, Eradication, Recovery and Lessons Learned.

Artifacts

Completed Templates (LINKS)

Activities

The primary activities in a Medium Incident response are: - Activate Incident Response and notify participants - Convene Incident Response teams - Assess the incident - Containment - Eradication - Recovery - Lessons Learned

Activate Security Incident Response

IT Security will notify the CIRT Lead and BIRT Lead to inform them that incident response has been activated and provide details for convening the incident response teams. CIRT Lead and BIRT Leads must also be notified to alert them of the incident. All Leads must confirm receipt of notification and their subsequent participation. If no response is received within 15 minutes, then alternate Leads must be contacted.

Convene Incident Response Teams

The BIRT Lead and CIRT Leads must then follow their own call-out processes to engage their respective team members, ensuring that all parties are available within . Incident response team members should convene in person in the designated war room if possible. In the case of a Medium incident, the CIRT Leads and BIRT Leads may choose to only engage portions of the team if not all members are required.
A conference bridge will be started by the CIRT Lead to ensure that all required parties are able to obtain information and participate as required.

Assess Incident

While the incident is already classified as a Medium Incident, additional information may be required to determine the best course of action.
During this phase, the BIRT Lead must: - Assess the Risk to the Business - Assess Legal Implications - Identify and Communicate with Stakeholders - Assess People Impact

These steps are explained in detail in the Guideline - Incident Classification

Containment

The objective of the Containment phase is to put measures in place to ensure that the situation does not become worse and to prevent an attacker or malware from spreading further.
During this phase:
- The CIRT Lead recommends a containment plan to the BIRT Lead to be reviewed, adjusted, and approved - Legal, People and Health and Safety, Environment, Regulatory will assist with non-technical containment steps - Team members will stop the attack from proceeding any further with technical guidance from the CIRT Lead and ultimate approval for all actions from the BIRT Lead - Systems will be backed up in their current state and forensic evidence will be preserved where desirable and practicable - The CIRT Lead will notify the Help Desk to ensure that proper direction can be provided to users - The CIRT Lead will coordinate between technical teams to ensure that effort is coordinated, and impacts accounted for - Long term containment will ensure that any vectors used in this attack are closed or defended against future attacks These steps are explained in detail in the Guideline - Incident Containment

Eradication

Once the threat is contained, all traces of the attacker and related malware must be removed from all of the organization’s systems.
During this phase: - The CIRT Lead recommends an eradication plan to the BIRT Lead to be reviewed, adjusted, and approved - The eradication plan is implemented by IT, legal, people and security teams - Affected systems are recovered from backup and malicious software is removed - Systems and configuration are updated to improve defenses - Recovered systems are scanned for any further vulnerabilities which are removed - Document all steps taken These steps are explained in detail in the Guideline - Incident Eradication Guideline

Recovery

The objective of the recovery phase is to resume normal business operations and ensure that the systems remain healthy.
During this phase: - The CIRT Lead recommends a recovery plan to the BIRT Lead to be reviewed, adjusted, and approved - All available tests are performed to ensure that the recovered systems are functioning correctly after they have been rebuilt or restored - Communication with identified internal stakeholders ensures that they understand the recovery plan - If necessary, external stakeholders are notified to manage their expectations for recovery - The recovered system is brought online following appropriate change control processes while minimizing impact as much as possible - Monitoring continues and is augmented to ensure that eradication and recovery were fully completed, and the attacker does not return These steps are explained in detail in the Guideline - Incident Recovery

Lessons Learned

The lessons learned phase completes the documentation of what occurred during the incident and helps to improve incident response capabilities for future incidents.
During this phase:
- A follow-up report is created summarizing what occurred, what worked, what did not and what improvements can be made to the process - All responders will participate in a meeting to discuss the same - Process and documentation are updated based on the learnings - Any other fixes such as changes to technology are implemented These steps are explained in detail in the Guideline - Lessons Learned

Update Processes and Documentation

When the incident is closed and Lessons Learned are completed, all documentation should be updated based on any findings from the review of the incident.

Version Tracking

Name Description Date
Kenton Smith V1.0 January, 2026