The 37 Minutes That Cost MGM Resorts $100 Million
In September 2023, a threat actor called Scattered Spider social-engineered an MGM Resorts help desk employee. Within 37 minutes, they had enough access to cripple one of the world's largest casino and hotel operators. Slot machines went dark. Hotel key cards stopped working. The estimated financial impact exceeded $100 million. What separated this disaster from a contained incident? The answer comes down to cyber incident response steps — whether you have them, whether your team has practiced them, and whether leadership actually follows them when panic sets in.
I've worked incident response cases where companies lost everything because they had a plan collecting dust in a SharePoint folder nobody could access. I've also seen small businesses contain ransomware in under two hours because they'd rehearsed their playbook quarterly. The difference isn't budget. It's preparation.
This post walks you through the exact cyber incident response steps your organization needs — not the theoretical framework you'd find in a textbook, but the practical, pressure-tested sequence that works when your network is on fire.
What Are Cyber Incident Response Steps?
Cyber incident response steps are the structured phases a security team follows to detect, contain, eradicate, and recover from a cybersecurity incident. The gold standard framework comes from NIST Special Publication 800-61, which defines four core phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Most mature organizations adapt these phases to fit their environment, but the bones stay the same.
Here's what actually matters: these steps aren't just for Fortune 500 companies. If you have customer data, employee records, or intellectual property — you need an incident response plan. Period.
Phase 1: Preparation — The Work Nobody Wants to Do
Every security professional I respect says the same thing: incident response is won or lost before the incident. Preparation is the most important of all cyber incident response steps, and it's the one that gets the least attention.
Build Your Response Team Before You Need It
You need a designated incident response team with clear roles. At minimum, that includes:
- Incident Commander — makes decisions, owns the timeline
- Technical Lead — handles forensics, containment, and eradication
- Communications Lead — manages internal and external messaging
- Legal Counsel — advises on breach notification, regulatory obligations
- Executive Sponsor — authorizes budget, system shutdowns, and public statements
If your organization has fewer than 50 employees, some of these roles will double up. That's fine. What's not fine is having zero clarity about who does what when an attacker is inside your network at 2 AM on a Saturday.
Train Everyone, Not Just IT
The 2023 Verizon Data Breach Investigations Report found that 74% of all breaches involved a human element — social engineering, errors, or misuse. Your incident response plan is only as strong as your weakest employee's ability to recognize a phishing email and report it fast. That's why cybersecurity awareness training for your entire workforce isn't optional. It's foundational to preparation.
Run phishing simulation exercises with your organization at least quarterly. Track who clicks, who reports, and who ignores. The data from those simulations feeds directly into your preparation posture.
Document and Test the Plan
A written incident response plan that hasn't been tested is a wish list. Run tabletop exercises at least twice a year. Simulate realistic scenarios: a ransomware infection on your file server, credential theft from a phishing campaign, a compromised vendor account. Time your team. Identify bottlenecks. Fix them before they cost you millions.
Phase 2: Detection and Analysis — Spotting the Fire
Detection is where most organizations fail. According to IBM's 2023 Cost of a Data Breach Report, the average time to identify a breach was 204 days. That's almost seven months of a threat actor living inside your environment.
Know Your Indicators of Compromise
Your team needs to recognize the signs of an active intrusion. Common indicators include:
- Unusual outbound network traffic, especially to unfamiliar IP addresses
- Unexpected privilege escalation or new admin accounts
- Mass file encryption or unusual file extension changes
- Alerts from endpoint detection and response (EDR) tools
- Employees reporting phishing emails or suspicious credential prompts
- Multi-factor authentication (MFA) fatigue attacks — repeated push notifications
Triage Fast, Triage Accurately
Not every alert is an incident. Your team needs a severity classification system. I use a simple four-tier model:
- Tier 1 (Critical) — Active data exfiltration, ransomware deployment, or confirmed credential theft affecting privileged accounts
- Tier 2 (High) — Confirmed malware, unauthorized access to sensitive systems
- Tier 3 (Medium) — Suspicious activity requiring investigation, potential social engineering attempts
- Tier 4 (Low) — Policy violations, single failed login attempts, informational alerts
The goal during detection and analysis is to answer three questions quickly: What happened? What systems are affected? Is the threat still active?
Phase 3: Containment — Stop the Bleeding
This is where the clock is loudest. Once you've confirmed an incident, containment is your first priority. Every minute of delay expands the blast radius.
Short-Term Containment
Isolate affected systems immediately. Pull them off the network — don't power them off unless you're dealing with active encryption. You want to preserve forensic evidence. Block malicious IPs and domains at your firewall. Disable compromised accounts. If a threat actor used credential theft to move laterally, reset passwords for all potentially affected accounts and enforce multi-factor authentication across the board.
In the MOVEit Transfer breach that impacted thousands of organizations in mid-2023, companies that had network segmentation in place contained the damage far more effectively than those with flat networks. Segmentation isn't glamorous, but it buys your response team time during containment.
Long-Term Containment
Once you've stopped the immediate spread, set up a clean staging environment. Rebuild affected systems from known-good backups. Apply patches to the vulnerability that was exploited. If you don't know the entry vector yet, assume the worst and segment aggressively until forensics gives you answers.
Phase 4: Eradication — Remove Every Trace
Containment stops the threat from spreading. Eradication removes it entirely. These are different steps, and I've seen teams skip eradication because containment made things feel safe. That's how you get re-compromised three weeks later.
Find the Root Cause
You can't eradicate what you don't understand. Work with your forensics team — internal or external — to determine:
- How did the threat actor gain initial access? Phishing? Exploited vulnerability? Compromised third-party?
- What persistence mechanisms did they install? Backdoors, scheduled tasks, modified registry keys?
- Did they exfiltrate data? If so, what data and where did it go?
CISA's incident response guidance at cisa.gov/incident-response provides excellent checklists for eradication across different attack types. Bookmark it.
Clean and Validate
Remove all malware, unauthorized accounts, and persistence mechanisms. Reimage compromised machines rather than trying to clean them in place — you'll sleep better. Validate that your backups are clean before restoring. Scan restored systems with updated signatures. Then scan them again.
Phase 5: Recovery — Getting Back to Business
Recovery is where you bring systems back online in a controlled, monitored fashion. Rushing this phase is one of the most common mistakes I see.
Restore in Priority Order
Your business continuity plan should define system restoration priorities. Critical systems — email, payment processing, customer-facing applications — come first. Monitor restored systems intensely for at least 30 days. Watch for any indicators of compromise that suggest the threat actor maintained access.
Implement Zero Trust Principles
Recovery is the perfect time to implement security improvements you've been putting off. Adopt zero trust principles: verify every user, every device, every session. Don't trust internal traffic just because it's internal. The NIST Zero Trust Architecture framework at nist.gov provides a solid implementation roadmap.
Enforce multi-factor authentication on every account — no exceptions. Segment your network so a single compromised workstation can't reach your domain controllers. Harden your email gateway to catch social engineering attempts before they reach inboxes.
Phase 6: Post-Incident Activity — The Phase That Prevents the Next Breach
This is the phase that separates mature organizations from everyone else. After the adrenaline fades, you need a structured lessons-learned process.
Conduct a Blameless Post-Mortem
Within two weeks of incident closure, bring the entire response team together. Walk through the timeline. Identify what worked, what didn't, and what was missing. Document specific, actionable improvements — not vague commitments like "improve security." I mean items like: "Deploy EDR to the 47 endpoints in the warehouse that weren't covered" or "Reduce phishing simulation click rate from 22% to under 10% by Q2."
Update Your Plan
Every incident teaches you something. Feed those lessons back into your incident response plan. Update contact lists, escalation procedures, and technical playbooks. If your security awareness training didn't cover the specific attack vector that hit you, update it immediately.
Report Where Required
Depending on your industry and the data involved, you may have legal obligations to report. The FBI's Internet Crime Complaint Center at ic3.gov accepts reports on cyber incidents and provides data that helps the broader security community. State breach notification laws vary — your legal counsel should have a matrix ready before an incident occurs.
The Mistake That Undermines Every Phase
Here's what I've seen sink more incident response efforts than any technical failure: organizations treat these cyber incident response steps as an IT problem rather than a business problem. When the CEO finds out about a breach from a reporter instead of from the incident commander, the response has already failed.
Executive leadership must be part of the preparation phase. They must understand the plan, their role in it, and the decisions they'll need to make under pressure — like whether to shut down a revenue-generating system or accept risk while forensics continues.
Building a Culture That Responds Fast
The organizations that respond best to cyber incidents are the ones where every employee understands their role in security. That starts with consistent training. Not once-a-year compliance checkboxes — ongoing, scenario-based education that keeps security awareness front of mind.
If you haven't invested in structured cybersecurity awareness training, your preparation phase has a critical gap. Combine that with regular phishing awareness exercises that test and reinforce what employees learn, and you'll dramatically reduce both the likelihood and impact of incidents.
The 2023 Verizon DBIR made it clear: the human element remains the primary attack vector. Social engineering, credential theft, and phishing are how threat actors get in. Your incident response steps matter enormously — but the best incident is the one that never happens because an employee recognized the attack and reported it in time.
Your Next Step
Pull up your current incident response plan right now. If it's more than six months old, schedule a tabletop exercise this month. If you don't have a plan at all, start with the NIST SP 800-61 framework and customize it for your environment. Assign roles. Test your backups. Run a phishing simulation. Do one thing today that makes tomorrow's incident response faster and more effective.
Because the question isn't whether your organization will face a cyber incident. It's whether you'll be ready when it arrives.