IR minor incident process
Incident Response - Low Incident Process
(Company Name)
Overview
A Low Incident does not have broad reaching impact and may require only a small degree of engagement from the Cybersecurity Incident Response Team (CIRT) Lead. The full Business Incident Response Team (BIRT) is not necessarily engaged in a Low incident. BIRT representatives will instead receive a periodic summary of all Low incidents that have occurred since the previous update.
The CIRT Lead or IT SME will manage the entire incident, including engaging with and providing guidance to team members. The classification criteria for a Low Incident are as follows:
| Criticality | Criteria | Business Impacts | Resources |
|---|---|---|---|
| Low | Malicious code: Single malware variant on 4-9 hosts, attempts by internal systems to connect to known malicious external hosts (C&C traffic); Information Gathering: Suspected malicious network scans or compromise of any service; Unauthorized access: Mulitple unexplained, failed, login attempts; Denial of service: Loss of availability to affected systems demed P3 (Necessary services) | Isolated impact to users of some systems: Inability for an individual or small group of employees to carry out their responsibilities; Short-term outages of some business unit systems; Isolated to a single site; Impact may be visible to external parties and customers; No direct customer or operational impacts; Possible Legal or Regulatory Impacts: Threat of legal action | CIRT |
A Low Incident does not have significant impact to the organization’s customers or business operations. The incident must be resolved in a timely fashion; however, it is not necessary for staff to work extra time or forego other duties in order to resolve the incident.
Roles and Responsibilities
- Responsible: CIRT Lead, IT SME
- Accountable: CIRT Lead
- Consult: BIRT, SMEs
- Inform: IT Management
CIRT
If a Low Incident is restricted to one technology or area, the CIRT Lead may choose to engage only with the CIRT members whose knowledge is needed to handle the incident.
The CIRT Lead plays a critical role in all Low incidents. While the BIRT is engaged in Major incidents, the Internal CIRT Lead will fulfil the role of BIRT representative when responding to a Low incident. Any additional resources will receive guidance and direction from the CIRT Lead.
Team Members
Team members provide the necessary details to the CIRT Lead to enable them to make decisions regarding what steps should be taken during the containment, eradication, and recovery phases of the incident response. The team members will then be accountable to take steps as directed by the CIRT Lead or MSSP to accomplish the objectives of the incident response.
The CIRT Lead will provide guidance to the team members to enable them to best achieve the objectives.
Purpose
This document outlines the key steps in the Low Incident Response process with additional information provided by the guidelines for the key steps of Containment, Eradication, Recovery and Lessons Learned.
Artifacts
Completed Templates (LINKS)
Activities
The primary activities in a Low Incident response are:
- Activate Incident Response and notify participants
- Convene Incident Response teams
- Assess the incident
- Containment
- Eradication
- Recovery
- Lessons Learned
Activate Security Incident Response
The IT SME or Helpdesk Analyst will notify the CIRT Lead that incident response has been activated and provide details for convening the incident response team.
Convene Incident Response Teams
The CIRT Lead must then follow their own call-out processes to engage their incident response teams, ensuring that all parties are available within \
Assess Incident
While the incident is already classified as a Low Incident, additional information may be required to determine the best course of action. Periodically re-assess the classification as per the guideline to see whether the incident classification has changed and requires additional resources.
Containment
The objective of the Containment phase is to put measures in place to ensure that the situation does not become worse and to prevent an attacker or malware from spreading further.
During this phase:
- The CIRT Lead determines a containment plan.
- Legal, HR, Health & Safety or others may assist with non-technical containment steps, but only if the CIRT Lead determines that they are required.
- Team members will stop the attack from proceeding any further with technical guidance and approval from the CIRT Lead or SME.
- Systems will be backed up in their current state and forensic evidence will be preserved where desirable and practicable
- The CIRT Lead will notify the Help Desk to ensure that proper direction is provided to users.
- The CIRT Lead will coordinate between technical teams to ensure that effort is aligned, and impacts accounted for.
- Long term containment will ensure that any vectors used in this attack are closed or defended against future attacks.
These steps are explained in detail in the Guideline - Incident Containment
Eradication
Once the threat is contained, all traces of the attacker and related malware must be removed from all of the organization’s systems.
During this phase:
- The CIRT Lead recommends an eradication plan and provides direction to implement the plan.
- The eradication plan is implemented by team members. Legal, HR, and security teams are not engaged for a Low incident unless the CIRT Lead determines that their involvement is required.
- Affected systems are recovered from backup and malicious software is removed
- Systems and configuration are updated to improve defenses
- Recovered systems are scanned for any further vulnerabilities which are removed
- Document all steps taken
These steps are explained in detail in the Guideline - Incident Eradication
Recovery
The objective of the recovery phase is to resume normal business operations and ensure that the systems remain healthy.
During this phase:
- The CIRT Lead recommends a recovery plan which team members will implement.
- All available tests are performed to ensure that the recovered systems are functioning correctly after they have been rebuilt or restored
- Communication with identified internal stakeholders ensures that they understand the recovery plan
- If necessary, external stakeholders are notified to manage their expectations for recovery
- The recovered system is brought online following appropriate change control processes while minimizing impact as much as possible
- Monitoring continues and is augmented to ensure that eradication and recovery is fully completed, and the attacker does not return
These steps are explained in detail in the Guideline - Incident Recovery
Lessons Learned
The lessons learned phase completes the documentation of what occurred during the incident and helps to improve incident response capabilities for future incidents.
During this phase:
- A follow-up report is created summarizing what occurred, what worked, what did not and what improvements can be made to the process
- All responders will participate in a meeting to discuss the same
- Process and documentation are updated based on the learnings
- Any other fixes such as changes to technology are implemented
These steps are explained in detail in the Guideline - Lessons Learned
Update Processes and Documentation
When the incident is closed and Lessons Learned are completed, all documentation should be updated by the Manager - IT based on any findings from the review of the incident.
Create Standard Incident
Low incidents often repeat or have occured in the past. If, upon closure, the CIRT Lead believes that the incident should be classified as a Standard Incident, it should be created at during this stage. This allows future responders to follow a simple process to resolve the incident without requiring full engagement from the CIRT Lead and the BIRT.
Version Tracking
| Name | Description | Date |
|---|---|---|
| Kenton Smith | V1.0 | January, 2026 |