Traditional incident response focuses on detecting, containing, and remediating threats, while counter-incident response includes the additional layer of preparing for adversarial interference in these processes. In this talk, we will look at various scenarios we encountered in our incident response cases. From the lessons learned from these cases, we have now developed strategies and processes that make it unlikely that an attacker who is still in the network can manipulate our incident response processes, or at least that we are prepared for the manipulation and can prevent it with compensatory measures.