Key Terms and Stakeholders in Incident Response
Incident response depends on a shared vocabulary and a clear map of who is responsible for what. This topic defines essential terms such as IOC, TTP, and threat actor, and identifies the stakeholders involved from technical responders to legal counsel, executives, and regulators.
Last updated:
Incident response is the coordinated process by which an organisation detects, contains, investigates, and recovers from a security incident. Before that process can function, every participant must understand a common set of terms and know their own role. An Indicator of Compromise (IOC) is an observable artefact that signals a breach, such as a malicious file hash or an unusual outbound connection. Tactics, Techniques, and Procedures (TTPs) describe how a threat actor operates, from high-level goals down to granular actions. A CSIRT is the team responsible for managing the response once an incident is confirmed. An escalation path is the predefined chain of authority that determines who is notified as severity rises. These definitions are not abstract: in a real incident, confusion over terminology or responsibility wastes the minutes that determine whether containment succeeds.
The stakeholder map in incident response spans far beyond the technical team. A data breach that triggers regulatory notification obligations involves legal counsel, compliance officers, communications staff, executives, and external authorities, all of whom must act on information provided by technical responders who speak a different language. Misaligned vocabulary between the SOC analyst who found the intrusion and the board member who must authorise the response budget is a documented cause of slow or poorly scoped incidents. Shared terminology is not a formality: it is the operating system of the response.
International frameworks such as NIST SP 800-61 and the SANS PICERL model define these terms consistently, and threat intelligence platforms such as MITRE ATT&CK have standardised TTPs across the industry. Regulatory instruments add their own vocabulary: the EU General Data Protection Regulation (GDPR) defines a personal data breach and specifies notification timelines; the US Health Insurance Portability and Accountability Act (HIPAA) defines a breach of protected health information; India's Digital Personal Data Protection Act 2023 (DPDPA) uses data fiduciary and significant data fiduciary as its primary classifications. Knowing which vocabulary applies in a given jurisdiction is part of stakeholder preparation.
By the end of this topic you will be able to:
- Define IOC, TTP, threat actor, CSIRT, and escalation path and explain how each is used in an active incident response.
- Distinguish between tactics, techniques, and procedures using the MITRE ATT&CK framework as a reference.
- Identify the technical, legal, business, and regulatory stakeholders involved in a serious incident and describe each group's primary responsibility.
- Describe the purpose and structure of an escalation path and explain what determines when an incident moves from the SOC to the CSIRT to executive leadership.
- Map the CSIRT roles (lead, forensic analyst, threat intelligence, communications liaison) to their functions during an active response.
- Indicator of Compromise (IOC)
- A forensic artefact or observable that suggests a system has been breached. IOCs include file hashes, IP addresses, domain names, registry keys, and behavioural patterns. They are shared via threat intelligence feeds and used to detect intrusions or confirm that a host is affected.
- Tactics, Techniques, and Procedures (TTPs)
- A three-level description of adversary behaviour. Tactics are the high-level goals (initial access, persistence, exfiltration). Techniques are the specific methods (spear-phishing, pass-the-hash). Procedures are the step-by-step actions observed in a particular campaign. The MITRE ATT&CK framework organises TTPs across 14 tactic categories.
- Threat Actor
- An individual or group responsible for a security incident or malicious campaign. Threat actors are categorised by motivation (financial, espionage, hacktivism, destruction) and by sophistication. Nation-state actors, organised criminal groups, and opportunistic script kiddies each present different risk profiles and require different responses.
- CSIRT (Computer Security Incident Response Team)
- A dedicated team responsible for coordinating the response to confirmed security incidents. The CSIRT manages containment, forensic investigation, communication to stakeholders, and recovery. It may be internal to an organisation or contracted externally. National CSIRTs (such as CERT-In in India or CISA in the US) also provide coordination across sectors.
- Escalation Path
- The predefined chain of notification and decision-making authority that an incident follows as its severity increases. Documented in the IR plan before any incident occurs, it specifies who must be informed at each severity level, what actions they are authorised to take, and at what point external notification to regulators or affected parties is required.
- SOC (Security Operations Centre)
- A function providing continuous monitoring, alert triage, and early detection of security events. The SOC is the first tier of response: it identifies candidate incidents, filters false positives, and escalates confirmed or suspected incidents to the CSIRT. SOC analysts typically work from a SIEM platform against defined detection rules and playbooks.
IOCs: what they are and how they are used
An Indicator of Compromise is evidence, extracted from a system or network, that points to a breach. The concept originates in host and network forensics: investigators examining a compromised machine identify artefacts that distinguish malicious activity from normal operation. Those artefacts are then codified as IOCs and shared, allowing other defenders to search their own environments for the same markers.
| IOC type | Example | Where found | Common use |
|---|---|---|---|
| File hash (MD5/SHA-256) | 3c5f9c2a...d8e1 | Endpoint filesystem, memory | Malware identification |
| IP address | 185.220.101.47 | Firewall logs, netflow | C2 server detection |
| Domain name | update-security[.]net | DNS logs, proxy logs | Phishing and C2 domains |
| Registry key | HKCU\Software\RunOnce\svc | Windows registry | Persistence mechanisms |
| URL path | /admin/upload.php?cmd= | Web server logs | Exploitation attempts |
| Email subject line / sender | Invoice_2025.zip from no-reply@ | Mail gateway logs | Phishing campaigns |
IOCs are shared via structured formats. STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Intelligence Information) are the dominant open standards. Commercial threat intelligence platforms aggregate IOC feeds from multiple sources, apply confidence scoring, and push indicators to SIEM rules and endpoint detection tools automatically.
TTPs and the MITRE ATT&CK framework
The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a publicly maintained knowledge base of adversary behaviour, built from real-world observations of cyber intrusions. It organises TTPs across 14 tactic categories for enterprise environments: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defence Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.
Each technique has a unique identifier (for example, T1566 for Phishing), sub-techniques for variants (T1566.001 for Spearphishing Attachment), and documented mitigations and detections. An incident responder who identifies a technique in the ATT&CK matrix can immediately consult associated detection opportunities and mitigation controls. This is the practical value of the framework: it translates an observed attacker action into a structured search for evidence and a set of concrete defensive steps.
Procedures are the specific implementation of a technique by a particular actor or campaign. Two groups may both use T1003 (OS Credential Dumping), but one uses Mimikatz run from a command shell and the other uses a custom-compiled tool loaded via reflective DLL injection. The procedure-level detail matters for attribution and for understanding the full scope of a compromise: knowing which specific procedure was used tells the responder where to look for artefacts and what additional techniques the actor is likely to follow with.
Threat actors: categories and relevance to response
A threat actor is the individual or group behind a malicious act. Classifying the actor is not academic: it shapes the response, the evidence strategy, and the notification obligations. A ransomware group encrypts data for financial gain and typically announces itself; a nation-state actor conducting espionage may be present for months without leaving obvious signs. The response timeline, the forensic depth required, and the legal obligations differ substantially between the two.
| Actor category | Motivation | Typical sophistication | Notification implication |
|---|---|---|---|
| Nation-state / APT | Espionage, disruption | High, long dwell time | Often classified; sector-specific regulators |
| Organised crime | Financial (ransomware, BEC, fraud) | Medium to high | Breach notification if data exfiltrated |
| Hacktivist | Political / ideological | Variable | Depends on data involved |
| Insider threat | Financial, revenge, coercion | Variable; high access | HR, legal, law enforcement |
| Opportunistic / script kiddie | Curiosity, low-level financial | Low | Notification if data involved |
Advanced Persistent Threat (APT) is a specific term for a sophisticated, state-sponsored or state-linked actor who gains long-term access and maintains it stealthily. The term is sometimes misused as a synonym for any sophisticated attack; the key distinguishing features are the persistence (dwell times measured in months or years) and the stealth (covering tracks, blending into legitimate traffic, using legitimate tools).
CSIRT structure and the escalation path
A CSIRT is the team formally responsible for managing a confirmed security incident from containment through recovery. Its composition varies by organisation size, but the core functional roles are consistent. The CSIRT lead coordinates the response, assigns tasks, manages communications to leadership, and makes containment decisions. The forensic analyst collects and analyses evidence from affected systems. The threat intelligence analyst contextualises the attack using IOC feeds and TTP databases. The communications liaison is the interface to non-technical stakeholders: legal counsel, executives, regulators, and the public.
The escalation path defines when and how an incident moves up the chain of authority. A common three-tier structure works as follows. Tier 1 covers the SOC analyst who triages alerts and confirms whether an event is a genuine incident. Tier 2 covers the CSIRT, activated when a confirmed incident is scoped and containment decisions are needed. Tier 3 covers executive leadership, legal counsel, and board notification, triggered when the incident involves regulated data, financial impact above a defined threshold, or reputational risk to the organisation.
National CSIRTs operate at the sector or country level. CERT-In (Indian Computer Emergency Response Team) is India's national nodal agency under the Ministry of Electronics and Information Technology, with mandatory six-hour reporting requirements for specified incident types under the Information Technology Act 2000 and associated directions. In the EU, national CSIRTs operate under the NIS2 Directive framework. CISA (Cybersecurity and Infrastructure Security Agency) coordinates response for US critical infrastructure. These bodies provide threat intelligence sharing, technical assistance, and coordination across organisations in a sector-wide incident.
The full stakeholder map
A serious incident activates stakeholders well beyond the technical response team. The following groups and their primary responsibilities form the complete map.
| Stakeholder | Primary responsibility | Key decision or action |
|---|---|---|
| SOC analyst | Alert triage, initial scoping | Confirm incident, escalate to CSIRT |
| CSIRT lead | Response coordination | Containment decisions, task assignment |
| Forensic investigator | Evidence collection and analysis | Chain of custody, root cause |
| Threat intelligence analyst | Contextualise attack | Actor attribution, TTP mapping |
| CISO | Risk ownership, board liaison | Authorise response spend, notify executives |
| Legal counsel | Notification obligations, evidence preservation | Legal hold, regulatory filing |
| Communications / PR | Internal and external messaging | Draft statements, manage media |
| HR (insider threat) | Employee actions | Account suspension, investigations coordination |
| Regulator (e.g., ICO, CERT-In, HHS) | Oversight, mandatory notification recipient | Accept notification, may audit |
| Affected individuals | Rights under data protection law | Notification recipients in breach scenarios |
| Law enforcement | Criminal investigation | Evidence preservation, prosecution |
Legal counsel plays a role that is often underappreciated in technical circles. They determine whether attorney-client privilege applies to forensic reports, which affects whether those reports can be compelled in litigation. They advise on notification deadlines: the UK ICO requires notification within 72 hours under UK GDPR; the EU's NIS2 Directive requires an early warning within 24 hours; India's DPDPA 2023 requires notification of the Data Protection Board and affected data principals without delay; US state breach notification laws set timelines ranging from 30 to 90 days depending on jurisdiction. Missing a deadline is a separate regulatory violation from the incident itself.
Using the vocabulary in practice
The real test of shared vocabulary is whether it survives contact with a real incident. Consider a scenario: a SOC analyst notices an unusual outbound DNS query from a server in the finance segment. The domain resolves to an IP address flagged in two threat intelligence feeds as a known command-and-control (C2) address for a financially motivated criminal group. The analyst has identified an IOC (the flagged domain and IP), a possible threat actor category (organised crime), and a probable tactic (command and control, ATT&CK TA0011).
The analyst escalates to the CSIRT lead using a structured notification: the incident type (suspected C2 communication), the affected asset (finance segment server), the IOC (domain and IP with source references), and the confidence level (medium, two independent feeds). The CSIRT lead can now make a containment decision, brief the CISO using the same vocabulary, and instruct the forensic analyst on what evidence to preserve. If the server holds personal data, legal counsel receives a parallel briefing and starts the clock on notification deadlines.
The same vocabulary also anchors the post-incident review. The after-action report will describe the threat actor category, the TTPs observed (mapped to ATT&CK identifiers), the IOCs that were and were not detected, the escalation path taken, and the points where communication failed or was delayed. That structured record feeds into updated playbooks, detection rules, and stakeholder briefing templates for future incidents. For further detail on building the team that executes this vocabulary, see Building a Computer Security Incident Response Team.
A SOC analyst finds that malware on a compromised host connects to a domain listed in a threat intelligence feed as a known command-and-control server. What is this domain an example of?
Key Takeaways
- IOCs are forensic artefacts (hashes, IPs, domains, registry keys) that signal a breach; they degrade quickly as threat actors rotate infrastructure, so TTP-based detection is a more durable complement.
- TTPs describe adversary behaviour at three levels: tactics (goals), techniques (methods), and procedures (specific implementations). The MITRE ATT&CK framework provides a structured, publicly maintained reference for all three levels.
- The CSIRT is the team that manages a confirmed incident; the SOC is the function that detects and triages candidate incidents. Escalation from SOC to CSIRT to executive leadership should follow a predefined path documented before any incident occurs.
- A serious incident activates a wide stakeholder map: technical responders, the CISO, legal counsel, communications, HR, regulators, and affected individuals all have defined roles. Legal counsel is critical for notification deadlines, which vary by jurisdiction (72 hours for UK/EU GDPR, 24 hours under NIS2 early warning, six hours for certain incidents under CERT-In directions).
- Shared vocabulary is a prerequisite for effective response: a SOC analyst who cannot communicate IOCs, TTPs, and scope to a CISO in plain terms, and a CISO who cannot translate that information into a regulatory notification, produce a response that is slower and more error-prone than one built on a common language.
What is an Indicator of Compromise (IOC)?
What do TTPs stand for in cybersecurity?
What is a CSIRT and how does it differ from a SOC?
Who are the key stakeholders in an incident response?
What is an escalation path in incident response?
Test yourself on Incident Response and Management with free, timed mocks.
Practice Incident Response and Management questionsSpotted an error in this page? Report a correction or read our editorial standards.