* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* 6 Questions You Must Ask ...

# 6 Questions You Must Ask for a Successful Incident Response

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2F6-questions-you-must-ask-for-a-successful-incident-response%2F)  
[](https://twitter.com/share?text=6+Questions+You+Must+Ask+for+a+Successful+Incident+Response&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2F6-questions-you-must-ask-for-a-successful-incident-response%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2F6-questions-you-must-ask-for-a-successful-incident-response%2F&title=6+Questions+You+Must+Ask+for+a+Successful+Incident+Response&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/6-questions-you-must-ask-for-a-successful-incident-response/&ts=markdown)  
\[\](mailto:?subject=6 Questions You Must Ask for a Successful Incident Response)  
Link copied  
By [Mark Brozek](https://www.paloaltonetworks.com/blog/author/mark-brozek/?ts=markdown "Posts by Mark Brozek")  
Jul 18, 2016  
4 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[Incident Response](https://www.paloaltonetworks.com/blog/tag/incident-response/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar/?lang=ja&ts=markdown)

For most organizations, suffering a cyberattack is not a matter of "if" -- it is a matter of "when." Today's hackers have more technology and are more persistent than ever before. Lately they seem to have rapidly evolving methods that allows them to circumvent even the most sophisticated preventative measures.

Considering recent large-scale attacks -- including those involving ransomware -- their success is based on social engineering -- phishing emails, pop-ups, and free download links built by hackers launch and disseminate Trojan attacks and other malware. Once a user clicks on the download or attachment and allows malware into their system, it initiates events that result in an organization either paying a king's ransom or risk having their private files and other important business information broadcast publicly or deleted permanently.

Having response mechanisms in place for swift, timely disaster mitigation and limited system downtime helps organizations successfully address a cyberattack on their network. An effective incident response program must consider these important questions:

1. Who is the responsible for the attack?

-----------------------------------------

When the mindset of a hacker is understood, it is easier to be prepared for a comprehensive defense. Organizations need to identify the potential criminal element at the beginning of their breach analysis. It is important to consider the type of business under attack -- there is a big difference between the Scottish teenager hacking Facebook and a successful ransomware attack against a major university. Identifying the attacker means distinguishing whether they are a lone wolf, a state-sponsored criminal organization, or a hacktivist social group.

2. What is the attack's target?

-------------------------------

Organizations should examine what the hacker attacked to understand their attacker's sophistication, resources, and level of commitment. In the examples cited above, the response is vastly different when addressing a hacker who is out for social glory, and whose goal is $10,000s with a threat triggered by an expiration date.

Serious cyber criminals seeking large financial rewards with just minimal effort are turning to DDoS attacks and ransomware as their preferred methods of crime.

3. When did the attack take place?

----------------------------------

Timing is truly everything in incident response. It can mean the difference between losing an entire database of business information and spending hundreds vs. thousands of dollars for information to be returned in a rescue effort.

Hackers are smart, and their attacks often happen during holidays and other times offline when businesses are more likely to be short-staffed and off-guard.

Timing also includes disclosing information about an attack. Incident responders should be sure that those needing the information will receive it in a timely manner to mitigate damages on their end as well.

4. Where was the attack directed?

---------------------------------

Likely the most important piece of information to consider when evaluating the entire circumstances of a data breach is the target of any cyberattack. Incident responders should examine the entire attack landscape, including the network, partners, suppliers, remote contacts, and any outside sources of portable data that could be involved. For example, email is often the culprit in today's attacks since the aim is to persuade unknowing users into opening attachments to launch Trojan attacks and other malware.

5. Why did the attack take place?

---------------------------------

A very important element to consider during a cyberattack is the attacker's motive. Effective external communications are required to explain why the attack occurred in the first place so those affected know exactly where they need to turn to best address their own damages.

6. How did the attack happen?

-----------------------------

Organizations need a detailed account of how the attack was orchestrated and how the breach occurred to effectively defend against it and begin the remediation process.

Addressing these questions and a well-devised incident response plan can limit emotion-driven actions and enable an organization to perform quick and effective remediation. What's more, solutions are available today to help SOC analysts gather all the information to these questions to best collaborate on an incident response plan of action. An information sharing platform can help the incident response team collect, process, and share large amounts of information. It helps gather and facilitate the information flow between all parties during the investigation process. Overall, good incident coordination depends on information gathering, processing, and sharing. And as a bonus, accumulated data can be invaluable for handling future attacks.

If you are an IT security professional looking for a platform to help streamline incident management processes and security operations, [sign up for the Free Community Edition of Cortex SOAR.](https://start.paloaltonetworks.com/sign-up-for-community-edition.html)

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Top 10 Best Practices for Cyberbreach Post-Crisis Communication](https://www2.paloaltonetworks.com/blog/security-operations/top-10-best-practices-for-cyberbreach-post-crisis-communication/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Cortex XSOAR for Automated Ransomware Response](https://www2.paloaltonetworks.com/blog/security-operations/cortex-xsoar-for-automated-ransomware-response/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown)

[#### Introducing Automated Firewall Management and Incident Response](https://www2.paloaltonetworks.com/blog/security-operations/introducing-automated-firewall-management-and-incident-response/)

### [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Ten Security Orchestration Myths and Clarifications](https://www2.paloaltonetworks.com/blog/security-operations/ten-security-orchestration-myths-and-clarifications/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Machine Learning: The Ideal Ally for Security Analysts](https://www2.paloaltonetworks.com/blog/security-operations/machine-learning-the-ideal-ally-for-security-analysts/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### How Cortex XSOAR "Jobs" Enable Proactive Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/feature-focus-how-cortex-xsoar-jobs-enable-proactive-security-operations/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language