Cyber Incident Response Guide | De4sec Technology

Contents

Why Incident Response Planning Matters Before the Incident
The Six Phases of Incident Response
Preparation: Building the Plan
Identification: Detecting and Confirming
Containment, Eradication and Recovery
Legal and Regulatory Obligations
De4sec Incident Response Service

Why Incident Response Planning Matters Before the Incident

An incident response plan is one of those documents that nobody wants to write — until they need it. And by the time they need it, it's too late to write it.

Organisations that respond well to cyber incidents are not those who are more secure than average. They're those who had a plan, practiced it, and knew exactly what to do in the first 30 minutes. Decisions made under crisis pressure without a plan compound damage exponentially.

Businesses with a documented and practiced incident response plan recover from incidents 40% faster and at significantly lower cost than those without one. Source: IBM Cost of a Data Breach Report 2024.

The Six Phases of Incident Response

Phase	Description	Key Outcomes
Preparation	Build and test the plan before an incident	IRP documented, contacts ready, staff trained
Identification	Detect and confirm an incident is occurring	Incident confirmed, scope understood, IR team assembled
Containment	Limit the spread and damage	Affected systems isolated, attack vector closed
Eradication	Remove the threat from the environment	Attacker access removed, malware cleared, vulnerabilities patched
Recovery	Restore normal operations	Systems restored, credentials reset, monitoring enhanced
Lessons Learned	Review what happened and improve	Root cause documented, controls improved, plan updated

Preparation: Building the Plan

What the plan must contain

✓Incident classification criteria — what constitutes a P1/P2/P3 incident?

✓Escalation matrix — who to call, in what order, at what severity

✓IR team roles — Incident Commander, Technical Lead, Communications Lead, Legal Liaison

✓Communication templates — staff notification, client notification, media statement, regulator notification

✓Evidence preservation checklist — what to collect, what not to delete

✓Forensic contacts — your IR provider (De4sec), forensic investigators, law enforcement contacts if relevant

✓Insurance contacts — policy number, insurer IR hotline

✓Recovery procedures — how to restore from backup, system build order

Tabletop exercises

A tabletop exercise walks the IR team through a simulated incident scenario — discussing what they would do at each stage — without actually taking any technical action. Run quarterly to keep the plan current and the team familiar with it.

Identification: Detecting and Confirming

Alert sources

✓Microsoft Sentinel SIEM — automated alert correlation across all log sources

✓Microsoft Defender for Endpoint — endpoint alerts (malware, unusual behaviour, credential theft)

✓Defender for Office 365 — email-based threat alerts

✓Staff reports — users reporting suspicious activity, unexpected MFA prompts, unavailable files

✓Third-party tips — supplier notification, law enforcement, ACSC or Communications Authority alert

First 15 minutes

✓Assemble the IR team — do not handle alone

✓Confirm the incident is real — rule out false positive before declaring

✓Document everything from this point — timestamps, observations, actions taken

✓Do not attempt remediation before understanding scope — premature remediation destroys forensic evidence

✓Contact De4sec — +61 451 500 909 (AU) | +254 741 777 681 (KE)

Containment, Eradication and Recovery

Short-term containment

✓Isolate affected devices — Defender for Endpoint device isolation feature or physical disconnect

✓Disable compromised user accounts — not just password reset, but complete disablement

✓Block malicious IPs, domains, and file hashes at firewall and email gateway

✓Preserve forensic evidence — disk images of affected systems before wiping

Eradication

✓Do not clean infected systems — rebuild from known-good OS image

✓Remove persistence mechanisms — scheduled tasks, registry run keys, new user accounts

✓Patch the exploited vulnerability — or remove the exposed service

✓Reset ALL credentials — every password, every API key, every service account

Recovery

✓Restore data from last known-clean backup — verify backup pre-dates the compromise

✓Rebuild systems from clean images — deploy security baseline before returning to production

✓Enhanced monitoring for 30 days post-recovery — attackers sometimes have secondary access

✓Communicate with stakeholders — clients, staff, regulators as appropriate

Legal and Regulatory Obligations

Cyber incidents often trigger legal obligations — particularly where personal data is involved. These obligations vary by jurisdiction.

Jurisdiction	Regulation	Notification Requirement
Australia	Privacy Act 1988 (Notifiable Data Breaches)	Notify OAIC and affected individuals within 30 days if serious harm likely
Kenya	Data Protection Act 2019 (KDPA)	Notify ODPC within 72 hours if breach likely to result in risk to individuals
EU/EEA customers	GDPR	72-hour notification to supervisory authority
All	Cyber insurance policy	Notify insurer immediately — most policies require immediate notification

Failure to notify regulators within required timeframes can result in significant fines — in some cases larger than the cost of the incident itself. Legal counsel should be engaged at the start of any incident involving personal data.

De4sec Incident Response Service

IR Planning

Develop a customised incident response plan, tabletop exercise facilitation, and staff training.

24/7 IR Hotline

AU: +61 451 500 909 | KE: +254 741 777 681 | Email: support@de4sec.technology

Technical Response

Remote incident response: containment, forensic investigation, eradication, recovery coordination.

Post-Incident Report

Root cause analysis, attack timeline reconstruction, control gap identification, remediation roadmap.

// NEXT STEP

Ready to get started?

De4sec provides hands-on implementation. Book a free discovery call at no cost.

Book a Free Discovery Call →de4sec.technology

© 2026 DE4SEC TECHNOLOGY. ALL RIGHTS RESERVED.