SANS Institute provides six steps for effective incident response:

1. 1. Preparation – Preparation is the most important phase of incident response is preparing for an inevitable security breach.  Preparation assists organizations in determining how well their IR Team will be able to respond to an incident and should involve policy, response plan and strategy, communication, documentation, defining the IR Team members, access control, tools and training.
   2. Identification – Identification is the process through which incidents are detected, ideally promptly to enable rapid response to reduce costs and damage.  To be effective, the IR Team gathers events from log files, monitoring tools, intrusion detection systems and firewalls to detect and decide incidents and their scope.
   3. Containment – Containment is a priority once an incident is detected or identified.  The goal is to contain the damage and prevent further damage from occurring.  The sooner an incident is contained the less damage  to re-mediate.
   4. Eradication – Eradication is the phase of effective incident response that requires removing the threat and restoring affected systems to earlier status, while minimizing data lost.
   5. Recovery – During recovery; testing, monitoring and validating systems while putting them back into production to verify that they are not re-infected or compromised.
   6. Rebuild – During the rebuild stage, systems considered to be irreparable are rebuilt and backed up data restored.  Further monitoring systems to verify eradication processes have been effective.