Incident Response Explained: Understanding the lifecycle of a cybersecurity incident

* This webinar was recorded live on November 7, 2023. Please note since this recording, Covalence has been renamed to Field Effect MDR.

Incident Response Explained: Understanding the lifecycle of a cybersecurity incident

Many small and mid-sized enterprises (SMEs) cite cybersecurity as their number one priority in 2023, yet attacks continue to increase and ransoms continue to be paid. What is it that makes so many companies vulnerable?

Watch on-demand to hear from Field Effect's Head of Strategic and Response Services, Monique Bardawil as she discusses:

• What is a cyber incident?
• A walkthrough of the phases of a cybersecurity incident
• What are some common mistakes companies make during a cybersecurity incident?
• What are the common characteristics of companies that handle incidents well?

Understanding cyber incidents

So, to start off—a brief intro to what we mean by a cyber incident. It’s a little funny that “incident” needs a definition, because people make different assumptions. NIST defines an incident as an event that targets an enterprise’s use of cyberspace—basically your network, devices, and overall cyber landscape.

There are many types of incidents. A lot of us picture a full compromise—defenses down, a successful break-in—but an incident can also be an attempt or an initial foothold: a “first landing” used to stage a larger attack. Essentially, an incident is an attempt to disrupt, disable, destroy, or maliciously control an environment. That attempt is often external but can be internal as well, and may aim to destroy data integrity or steal controlled information.

Historically, we saw more nation-state attacks or large organizations targeting IP, but much of today’s activity is financially motivated. It’s become easier for attackers to profit, and online forums and networks allow them to share tactics and techniques.

Motivations behind cyberattacks

So, a lot of today’s cyber activity is financially motivated. When companies come to us — or more generally, when organizations realize or suspect they’re under attack—what we often see is people reacting with the best intentions but in a state of panic. They want to stop the attack quickly and prevent further damage. Unfortunately, without a clear plan in place, some of the steps taken by administrators can actually make incident response harder.

Common challenges in incident response

The most common issue is waiting too long. Organizations may suspect something is wrong but decide to try and contain it themselves, thinking, “It’s not so bad—we can handle this without disruption.” They do this because they want to keep the business running, avoid downtime, and minimize impact. But in many cases, they can’t stop it, and the delay makes the situation worse. This is one of the reasons why so many incident response engagements come in on Fridays—teams realize they can’t go into the weekend with an active threat unresolved.

Another challenge is that organizations often focus only on restoration—getting systems back online and business running again. While understandable, this can make forensic analysis very difficult. Restoring without preserving evidence means we lose critical information about how the attack happened, what vulnerabilities were exploited, and whether the threat was fully neutralized. Without that knowledge, the risk of recurrence is much higher.

Many companies also avoid thinking about cyber incidents. As a result, they may not make it a priority to build a strong response plan, purchase cyber insurance, or engage legal counsel. And even if they do have those resources, they often don’t know the basics: Who should we call first? Which internal stakeholders should be involved? What’s the sequence of actions? These are preventable gaps, but without preparation, they cause confusion during an incident.

As mentioned earlier, incidents can occur at any time, but they often surface toward the end of the week, on weekends, or during holidays. Attackers deliberately choose these windows, knowing fewer people are monitoring systems. At the same time, many organizations delay calling for help until late in the week, after struggling internally for days and realizing they can’t head into the weekend with an active threat.

Who gets targeted?

It’s also important to stress that cyber incidents are no longer limited to large or wealthy organizations. One of my colleagues put it well: if an attacker sees $5,000 in your account, they’ll take it—better than nothing. In other words, any organization, regardless of size, can be a target.

We also see a wide range in attacker sophistication. Yes, there’s growing concern about AI-powered threats and what the future holds, but many attacks are still based on well-worn tactics—exploiting known vulnerabilities, phishing, or misconfigurations. These are things we should already be doing better at defending against. So while we need to keep an eye on future risks, there are very real, practical steps organizations can take today to improve their protection.

Attackers are usually looking for the weakest link. Once inside, their goal is to escalate privileges, move laterally, and expand their access until they can reach their ultimate objective. In many cases, the attack is multi-pronged—but all it takes is one successful entry point.

The incident response process

Incident response, like most things in cybersecurity, is a continuous process—an infinite game. While I’ll outline what this looks like, keep in mind that it’s always evolving, and organizations should review their preparedness at least annually.

At its core, incident response begins when a security compromise is discovered. Ideally, the organization has a plan in place that provides a logical, methodical framework to follow. But in reality, even well-prepared organizations find that no incident plays out exactly as expected.

When we get involved, it usually starts with a call from a prospect. We arrange a scoping call to understand the situation—what was detected, how it was discovered, what actions have already been taken, and what matters most to the organization. For most, the immediate priority is getting back to business, but there are often other concerns: reputational damage, client information exposure, or leaked sensitive data.

During this process, we listen and provide guidance. We might ask: Have you contained the threat properly? Do you need stronger containment measures, like disconnecting from the internet to cut off attacker access? The appropriate response depends heavily on when the incident was discovered.

Another critical step is data preservation. Without preserved evidence, it’s extremely difficult to conduct a forensic investigation that explains how the threat actor got in, what they accessed, and what damage was done.

Finally, many organizations overlook the role of insurance and legal counsel. Regulations at the federal, provincial, or state level often require specific steps when a compromise occurs, and those must be addressed as part of the response. Based on the situation, we present different approaches, tailored to the client’s needs.

Removing the stigma

And as mentioned, there’s sometimes a stigma around experiencing an incident. Organizations may feel embarrassed—thinking, “we should have done this” or “if only we’d done that.” But there’s no need to impress the analysts or feel ashamed. The important thing is responding effectively and learning from the experience.

If you don’t know all the answers during an incident, that’s okay—that’s exactly why you bring in experts. The key is to share whatever information you have as early as possible. The sooner you engage, the better.

Even highly secure organizations can fall victim. All it takes is one click on a malicious link, downloading malware, or accidentally providing a password. Attackers often exploit the human element—our mistakes—and no amount of security completely eliminates that risk. That’s why it’s important to remember: no matter how strong your defenses, you may still be impacted.

Incident response at Field Effect

At Field Effect, our approach to incident response has two main goals:

1. Tell the story of what happened. We look at historical data to understand how the threat actor got in, what they accessed, and how long they were present. We identify gaps in security and build a clear timeline of the attack. This helps the organization learn from the incident and strengthen defenses for the future.
2. Ensure the victim is secure moving forward. Containment is critical—we focus on eliminating the attacker’s access and preventing recurrence. But equally important is ongoing protection. We use Field Effect MDR to deploy continuous monitoring across the environment. This gives full visibility into network activity as systems recover, helping ensure the organization remains secure.

These two priorities—understanding the past and protecting the future—are at the core of our incident response process. I’ll walk through the components of our approach and what we believe every response should include.

Case management and the investigative lens

One of the key elements of our incident response is case management. We provide this as part of our packages to help guide the client through the process. Often, clients are panicked and may not have the right resources or coordination in place. Case management ensures they receive timely updates on the investigation and monitoring, while also providing structured advice on containment, remediation, and recovery. In this role, we essentially become an extension of the client’s incident response team.

Case management also covers broader considerations that many organizations overlook: legal obligations, cyber insurance requirements, and even ransom negotiations. We frequently get asked questions like, “Do we pay? Do we not pay? Should we contact the threat actor?” The answer is always: do not contact the threat actor. But these are not questions most clients ever consider until they are in the middle of a crisis, which is why guidance is so critical.

Alongside case management, the investigative lens is central to our work. Our investigators analyze the data we collect from the impacted environment to answer core questions:

• What happened?
• How did the threat actor get in?
• What did they do, and when?
• Who or what was “patient zero”?
• How did the compromise spread within the network?
• What was the most recent attacker activity?

This process helps us define safe recovery points for the environment—for example, determining whether the client needs to rebuild the entire network or just specific servers.

A major focus is on root cause identification. We want to understand how the initial access occurred so we can block it immediately. From there, we study the threat actor’s techniques: how they moved laterally, escalated privileges, and misused legitimate tools. We also collect indicators of compromise (IOCs)—such as malicious IP addresses—so they can be fed into monitoring systems to prevent re-entry.

Finally, we look at the why. Most often, the motivation is financial: extorting victims to pay for data recovery or to prevent data from being published on the dark web.

The outcome of this process is situational awareness. Before taking major action, we work to give the client a full understanding of the attack, the gaps in their defenses, and what future monitoring should detect. This makes incident response not only about recovery, but also about education—helping organizations strengthen their defenses so the same techniques cannot be used against them again.

The investigative lens is essential, but it’s only one part of the picture. The other critical piece is security monitoring, which provides victims with assurance that they are protected moving forward—not only against the current attack but also against future attempts.

Security monitoring and intelligence

The reality is that no one can stop all attacks; adversaries will continue trying. What we can do is detect and respond effectively. At Field Effect, we use Field Effect MDR to deliver holistic monitoring. This includes:

• Network sensors
• Endpoint agents
• Cloud service integrations

Together, these ensure that attackers cannot pivot undetected between IT systems or services.

Our monitoring relies on detection policies that respond to threat actor activity. Some are general, covering common TTPs (tactics, techniques, and procedures) and IOCs (indicators of compromise). Others are tailored: for example, if a threat actor used a legitimate remote management tool during a compromise, we can create specific detection rules against that tool to prevent its misuse in the future.

This creates a feedback loop: findings from investigations feed into monitoring policies, and monitoring data in turn informs investigations.

Another important component is security intelligence and threat monitoring. Victims often want to know:

• Who was behind the attack?
• What ransomware family was used?
• What are the known TTPs and IOCs associated with this group?
• Is there a risk that stolen data will be published or sold on the dark web?

Our threat intelligence team helps answer these questions by correlating evidence with known actor profiles. In some cases, if victims don’t pay ransom, attackers may follow through on threats to publish or sell data. While our dark web monitoring capabilities are limited and designed as a supplementary function, they still provide valuable context.

In short, security intelligence adds depth. It’s not just about knowing if an incident happened, but who was likely behind it, how they operate, and what the future risks are. That knowledge shapes stronger defenses and informs the client’s broader risk management strategy.

Staying ahead of new threats

In cybersecurity, it’s critical to stay aware of new threats and vulnerabilities as they’re published. This allows us to enhance monitoring for our clients on a day-to-day basis.

For example, if a new Chrome vulnerability is disclosed, we immediately:

• Identify where it exists across our client environments.
• Confirm whether policies are in place to detect and respond to it.
• Notify affected clients so they can update or patch quickly.

This kind of proactive intelligence is essential to reducing the threat surface.

Restoration and communication

Once an incident is underway, the ultimate goal is to restore the environment—but it’s not a linear process. Investigation, restoration, and monitoring often happen in parallel.

A key step before beginning restoration is to determine which systems and data were impacted and what should be restored first. This is where preparation is invaluable. Organizations need to know which systems are truly critical for business functions—it might not be email, but rather the CRM or another core system. Establishing these priorities gives incident responders a clear focus.

If victims have strong backups—ideally stored separately from the main network—restoration is usually straightforward. Backups provide a safe point of recovery, but we must also identify which backup version is clean and trustworthy.

In some cases, negotiations with threat actors come into play. These are legally complex, because many ransomware groups are linked to sanctioned or terrorist organizations. Paying them can carry federal or international legal consequences, which is why legal counsel must always be involved. While rare, there are situations where negotiations become the only viable option—for instance, if backups are encrypted or destroyed and the business cannot function without its data.

Another often-overlooked element of response is communications. Internally, organizations must provide staff with clear direction: What should they tell clients? What can and can’t they say publicly? For example, if sales systems are down, staff need a clear, consistent message for customers.

Externally, communications with partners, stakeholders, and the media must also be managed carefully. Depending on the organization’s role in the economy, public scrutiny and pressure can be significant.

Ultimately, response isn’t just about technology—it’s about people and processes as well. If everything goes well, we reach the point where the environment is restored, monitoring is in place, and the incident can be deescalated.

Reporting and post-incident considerations

The final phase is reporting. At Field Effect, our approach is to be objective and evidence-based. We don’t speculate or insert opinion; we stick to verifiable facts. This ensures accuracy and credibility for the organization itself, and also satisfies the scrutiny of insurers, regulators, and legal teams. Like any good investigation, the report must be clear, factual, and defensible.

When it comes to timelines, every incident is different. On the low end, a case might conclude in about three weeks, though restoration can begin as early as day two. On the high end, incidents can take months to fully resolve, especially if the attack is complex. For example, this year we’ve seen cases where virtualized environments were compromised—even the ESXi hosts. In those scenarios, everything has to be rebuilt, and investigators can’t easily access data for analysis. The larger and more complex the environment, the longer the process takes.

This underscores how critical it is to have clear steps in place immediately. Instead of wasting time wondering “what do I do?”, an organization that knows its plan can act quickly and start executing right away.

Post-incident phase: Key activities

Once the incident is closed and the report is delivered, organizations move into the post-incident phase, which includes several key activities:

1. Notifications
   • If personal or sensitive data was compromised, affected individuals may need to be notified.
   • Legal counsel or breach counsel is essential to guide what must be disclosed under federal, provincial, or state regulations.
2. Security control review
   • Post-incident is a natural time to reassess and improve security posture.
   • Organizations often identify gaps, apply temporary fixes, and later redesign networks or add new controls to strengthen defenses long term.
3. Employee education
   • Humans are always part of cybersecurity. Employees should be educated about strong passwords, safe browsing, and their role in security.
   • Staff also need to understand what happened, what it means for the organization’s reputation, and what lessons can be applied going forward.
4. Engaging authorities
   • Though less common in Canada and the U.S., reporting incidents and indicators of compromise to law enforcement can support broader efforts to track threat actors or take down their infrastructure.

Preparation Is everything

The best defense is to be prepared. Just as you buy home insurance for peace of mind, cybersecurity monitoring and response planning are about reducing your threat surface and ensuring you have expert support when needed.

Preparation should include:

• A strong monitoring solution.
• An incident response plan that identifies internal and external roles, high-value assets, recovery priorities, and communication protocols.
• Testing backups and recovery processes.
• Practicing the plan through tabletop exercises—safe simulations that let you walk through scenarios, discuss decisions, and practice coordination before a real crisis occurs.

All of these steps build resilience, so when an incident happens, you can respond with clarity and confidence — not panic.

The key is not to panic. Instead, know what to watch for and be prepared. No two incidents are alike, and the way you respond will rarely match the exact scenario you practiced. But having general knowledge, awareness, and comfort through tabletop exercises ensures you can respond with confidence when the time comes.

Q&A

Q: What is the process for engaging third-party incident response services if a customer has a cyber insurance policy and/or legal counsel?

A: This depends heavily on the terms of the cyber insurance policy. Some policies dictate which providers an organization can or cannot engage. In some cases, insurers have their own incident response teams or preferred partners they require you to use. Breach counsel may also guide or restrict who can be engaged.

Other times, policies are more flexible, offering recommendations but leaving the choice to the organization. Because it varies case by case, it’s critical to review your cyber insurance policy in advance so you know:

• What’s covered.
• Who you are permitted to engage.
• Whether you must call the insurer first or can contact an incident response team directly.

Preparation here avoids confusion and delay during an actual crisis.

Q: What kind of monitoring do you leave in place post-incident?

A: Our Field Effect MDR platform is the primary tool our analysts use during incident response. It remains deployed for the full duration of the IR engagement—and often a little longer—to confirm the threat has been fully eliminated. Many of our IR customers choose to keep Field Effect MDR in place permanently after the engagement, making it a long-term fixture of their security posture.

Q: What is an example of a tabletop exercise?

A: A tabletop exercise is a simulated incident designed to test an organization’s response plan. For example:

• It’s Thursday morning, and someone calls IT saying they can’t access files or do their work.
• The scenario escalates from a possible IT issue to a confirmed cybersecurity compromise.
• Participants walk through investigation, containment, monitoring, and restoration.

We build these exercises around the client’s environment and priorities—such as critical information assets and recovery objectives. If the client has an IR plan, the exercise tests it. If not, the exercise highlights gaps and helps shape a plan.

We also include injects to simulate real-world complications: leaked information, media inquiries, or client communications. These bring in the people and process aspects—not just the technical side. Tabletop exercises require the participation of key stakeholders so the organization can practice and learn together.

Q: Should you notify your general legal counsel in addition to whoever your cyber insurance directs you to?

A: Yes. Always start with your internal legal counsel, if you have one. They should be part of your IR preparation and can provide guidance tailored to your organization. Smaller organizations without internal counsel may need to work directly with breach-specific lawyers recommended by insurance. The important thing is to validate expectations in advance with both your legal counsel and your insurer to avoid confusion during an incident.

Q: Have you had to support a customer with incident response while they were already using Field Effect MDR?

A: Not in the sense of a full, catastrophic compromise. Here’s why:

• Incidents vs. events: Field Effect MDR is designed to detect and respond to events (phishing clicks, malware downloads, unusual user behavior) before they escalate into major incidents.
• Active response: The platform continuously monitors, blocks, isolates, and mitigates malicious activity at various stages of the kill chain.
• Prevention in action: Every day, Field Effect MDR prevents attacks from becoming enterprise-wide breaches. That’s the value of 24/7 monitoring—we can’t stop attackers from trying, but we can stop them from succeeding.

So while no Field Effect MDR client has experienced a massive breach requiring IR, the platform is actively protecting against attempts on a daily basis.