Incident Response: First Aid in a Crisis
"Start the breathing. Stop the bleeding. Protect the wound. Treat for shock. Sir!"
There’s a reason this Marine-based memory aid works. While warriors can use it to save lives in the middle of chaos, we can also use it to enhance our approach to crisis management when defining a workable incident response plan, whether it involves fires, cyberattacks, break-ins, or natural disasters. The basic principles should enable you and your team to quickly assess the situation, prevent things from getting worse, stabilize conditions, and set the stage for recovery. This article breaks incident response into these four phases.
Start the Breathing
The first move in any crisis is to figure out what’s happening and get a clear picture of the threats of concern. We need to get the critical life signs of the incident—making sure we can “start the breathing.”
Once you become aware of an incident, it is important to figure out exactly what is taking place. A physical example could be a building on fire. In cyberspace, perhaps a phishing attack that results in unauthorized access or a DDoS attack that renders services unavailable. By quickly understanding the core problem, we are able to decide whether our first tool is a fire extinguisher or isolation procedures.
Every incident has its victims and its attackers. In the digital world, “the victim” might be a laptop, a network segment, or an entire organization’s data. The “attacker” can be a state-sponsored group, a criminal crew, or even an insider (who didn’t receive the expected promotion). Knowing who’s involved—finding that combination of people and entities—lets your incident responders know “who” needs resuscitation, and “who” needs stopping.
And then there’s the ticking clock—when did the incident start? When was the incident reported? Is it unfolding right before our eyes, or did it persist for months before we noticed? In cybersecurity, the timeline can mean the difference between quickly isolating affected systems and waking up your Privacy Officer at 1 o’clock am.
Stop the Bleeding
In the Marines, once you know that your victim is alive, the next move is to halt any further deterioration. Think of this as “stopping the bleeding”—taking action to contain the situation, so it doesn’t spiral out of control.
In the digital realm, this might mean isolating the affected network segment or shutting down compromised systems to keep malware from spreading. If there is a fire raging in a server room or a building, your next action must be to halt its spread, whether by using water, foam, or simply cutting off the fuel source. Containing the spread of the incident reduces the impact of the incident and reduces the response scope. Less spread costs less in resources and money.
Stopping the bleeding isn’t just about quick fixes; it’s also about deploying the right resources to contain damage. For a ransomware attack, you might bring in digital forensics’ experts and isolation measures. For a fire, it’s firefighters, safety officers, and, in some cases, even law enforcement. Knowing which assets, systems, or people are impacted lets us determine the right resources to throw at the problem.
Protect the Wound
After ensuring that things aren’t spiraling further, the next critical step is to minimize additional risk and start the stabilization process—basically, “protect the wound.”
At this point, it’s mainly about containment. In cybersecurity, that means locking down the compromised areas, preserving logs, and isolating the affected systems so that forensics teams can analyze what went wrong without interference. Think of it as putting protective dressing on an open wound to prevent further contamination. By taking these actions, we reduce the opportunity for (re)infection, and we protect those areas that were not impacted from the attack.
Protecting the wound is also about gathering as much evidence as you can. Every detail—the IP addresses involved, the systems impacted, etc.—adds up to the overall picture. This documentation isn’t just for record-keeping; it’s the blueprint for how to prevent another incident in the future. I’ve seen it time and again; capturing the details of “why” and “how” things went wrong helps protect our assets against similar future events.
Depending on whether the compromised asset is a minor component or a major system, the response and protective measures will vary. The leak of my AOL account data is vastly different from a breach of my medical records. Protecting the wound means applying the right amount of containment effort to ensure you have the right size bandages and gauze for the wound—don’t put a tourniquet on your finger’s papercut.
Treat for Shock
The final phase is all about stabilizing the aftermath. This is where you begin to transition from response to recovery, ensuring that your organization gets back to doing what it does best—and that is NOT spending time responding to Incidents.
Treating for shock means starting the process of remediation. It might involve restoring systems from backup, patching vulnerabilities, and running thorough investigations to ensure the threat is completely removed. In physical emergencies, this may include repairing damaged infrastructure, getting people treated at the hospital, and restoring communications. The goal is to be or eventually become operational. It may not look pretty—duct tape rarely does—but it needs to work.
No incident should simply be patched up and forgotten. Treating for shock also involves a hard look at what happened and why. Did a single click on a link result in a massive data breach? Was a fire ignited by negligence, or was it a deliberate act? And how much damage occurred due to the incident and to the response? Learning from these events forms the basis for improving policies, training, and preventive measures. You should also make the necessary improvements to your Incident Response Plan—how better to reduce the shock when the next incident occurs.
The Incident Response First Aid Kit
At the end, managing any incident isn’t about reacting—it’s about systematic, disciplined actions that save the day, whether you’re fighting a phishing campaign or a blazing fire. I’ve seen firsthand that effective incident response isn’t just about responding quickly. It’s about doing so in a way that stops the problem before it spreads, puts the right resources in the right place to address the situation, figures out how and why it happened, and fortifies against another incident.
By assessing and understanding the situation, preventing the problem from escalating, ensuring the incident stabilizes, and implementing remediation and recovery measures, you’re not just addressing the crisis in the moment—your first aid kit is helping you build a stronger, more resilient operation for the future.