Now that we understand the basic concept of the phases in incident response, let's see how we can integrate these phases to enable cyber intelligence in the organization through reviewing the following diagram:
The Preparation phase of Incident Response is a culmination of policies, procedures, training, and so on that can be mapped to different capabilities within the organization through the use of RASCI matrices. We would see the execution of the processes that are identified in these matrices in the Detection and Analysis and Containment, Eradication, and Recovery phases of the Incident Response process. These two phases are mapped to the Find, Fix, Finish, and Exploit steps of the F3EAD process and would be applicable to detecting anomalies to baselines, boxing in threats, removing them, and putting the systems back online. All of the Post Incident Activity maps to Analyze and Disseminate, as this information will be used to improve the organization's ability to prepare for a similar incident in the future.