A cyberattack can paralyze your company in minutes. Without a plan, you are already behind. We at Meteora Web see it every day in Italian SMEs: encrypted servers, stolen data, zero revenue. The difference between recovering in hours and going out of business? A solid Incident Response framework — tested, measured, and managed like a balance sheet: with metrics, priorities, and real costs.
In this advanced guide, we dive into the first three phases of the incident response lifecycle: Preparation, Detection, and Containment. Eradication, Recovery, and Lessons Learned will be covered in a follow-up. Here we want you to walk away with operational tools to build or strengthen your immediate response capability.
Why a formal framework? Because chaos costs more than the attack
The instinct when an incident hits is to rush and shut everything down. That reaction destroys evidence, extends recovery time, and loses money. We saw it at a client: ransomware hit the warehouse. The owner pulled the server plug. Result: unrecoverable backups, days of downtime, and a forensic analysis that had to rebuild everything from incomplete logs. A framework — like NIST SP 800-61 or SANS PICERL — gives you a logical sequence, reliable steps, and a common language between technicians, management, and insurance.
Phase 1: Preparation — 70% of success happens before the attack
Preparation is everything you do before the alarm goes off. We call it 'preventive accounting': like a budget forecast, you define resources, responsibilities, and processes. Without it, every other phase is a shot in the dark.
1.1 Build a response team (CSIRT) with clear roles
You don't need a military structure, but everyone must know what to do. For an SME, a minimum team of three works: a coordinator (makes decisions, talks to management), a technical sysadmin/security person (analysis and containment), and a legal/insurance contact. Document roles in a runbook updated every quarter.
1.2 Essential tools to have ready
- Endpoint Detection and Response (EDR) on all critical servers and workstations.
- SIEM (even free like Wazuh) to centralize logs and create alerts.
- Offline and immutable backups tested at least every 30 days.
- VPN and secure remote access for the response team.
- Playbooks for common scenarios: ransomware, phishing, credential theft.
Action now: download the free playbook template from SANS and customize one ransomware scenario for your company within 7 days.
1.3 Regular tests: the drill you never fail
All frameworks say 'tabletop exercise' or 'simulation'. We translate that into practice: every quarter, block a morning, gather the team, and simulate an incident. Use a checklist. Measure detection and containment times. One of our clients discovered during a drill that the backup was incomplete on a critical server. They fixed it before the real attack.
Phase 2: Detection — catch it before your inbox explodes
Detection is not just 'an alarm goes off'. It's the ability to distinguish a false positive from a real threat, and to do it fast. At Meteora Web, we often see companies ignoring alerts because 'too many false alarms'. The problem isn't the alert — it's the threshold and context.
2.1 Set behavior-based alerts, not just signatures
A signature-based antivirus is useless against zero-day attacks. Use behavioral rules: 'a user accessing 500 files in 30 seconds' is more telling than 'file name ransomware.exe'. In a SIEM like Wazuh, you can create custom rules.
Example Wazuh rule for mass file access (Linux):
<group name="file_access,attack">
<rule id="100100" level="12">
<if_sid>550</if_sid>
<field name="audit.data.path">^/data/</field>
<field name="audit.data.count" type="pcre2">\d{3,}</field>
<description>Anomalous access to more than 100 files in /data</description>
<options>no_full_log</options>
</rule>
</group>
Action now: enable audit on critical file systems (Linux: auditd, Windows: SACL) and configure your SIEM to alert when a user touches more than 100 files in 5 minutes.
2.2 Log chain of custody: don't delete anything
In detection, every log is evidence. Set retention of at least 6 months (preferably 12) for logs of authentication, sensitive data access, firewall, DNS. If your SIEM is cloud-based, ensure the vendor provides a forensic export in standard format (JSON, CSV). We've seen cases where a deleted log prevented tracing the attack vector.
Phase 3: Containment — stop the fire without flooding the house
When an incident is confirmed, the priority is to limit damage. Containment can be temporary (isolate host) or permanent (rebuild from backup). The most common mistake? Pulling the plug on everything and losing visibility on the attacker.
3.1 Surgical isolation: block communication, not the server
When possible, use firewall rules or iptables to block outbound traffic while keeping the host accessible for forensics. Example on Linux:
# Block all outbound traffic from eth0 to internet
# (keep local network for forensics)
/sbin/iptables -A OUTPUT -o eth0 -d 0.0.0.0/0 -j DROP
# Block only command & control port (e.g., 8443 TCP)
/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 8443 -j DROP
On Windows, use netsh advfirewall to add a blocking rule. After containment, take a memory dump (with FTK Imager or Winpmem) before shutting down the machine.
3.2 Network-level containment: immediate segmentation
If the attack spreads, isolate the compromised network segment via VLAN or switch ACL. Document every action with timestamp and operator. This is not just good practice: in case of insurance claims, the trace is your defense.
Action now: prepare a 'containment runbook' with ready commands for your environments (Linux and Windows). Test it in a lab environment within 15 days.
Where does the money go? The cost of lacking preparation
We think in numbers. A company without an IR framework takes an average of 10 days to contain a ransomware attack (IBM 2025 data). With a prepared team, it drops to 2 days. The average downtime cost for an Italian SME ranges from €500 to €5,000 per hour depending on the sector. Preparing a plan costs a few thousand euros and a few hours of training. Not preparing it costs orders of magnitude more.
We saw it with one of our clients: after a social engineering attack (like those described in our article on Social Engineering Techniques), they activated the prepared playbook in 4 hours instead of 4 days. Containment was fast, no data encrypted. Cost? Only consulting hours.
In summary — what to do now
- Identify the minimum CSIRT team and write a runbook for a ransomware scenario within 7 days.
- Configure a SIEM with behavioral detection rules (at least for file system and authentication).
- Run a drill of detection and containment in a staging environment within 30 days.
- Automate network blocking with a ready script to execute via SSH or PowerShell.
- Document every action — during an incident, the trace is worth more than a backup.
If you're unsure about your current level of preparation, we can do a free 30-minute audit. We at Meteora Web work with companies in Southern Italy and beyond, bringing enterprise-grade tools to contexts that often think they can't afford them. The truth is, they can't afford to be without them.
Sponsored Protocol
