Figuring out an incident response plan for your organization can be a daunting item on your to-do list. Whether it’s a malware infection or an unauthorized user discovered on your system, every security incident requires a unique response. So where to begin?
Mature incident response plans may consist of comprehensive flowcharts and detailed playbooks for an exhaustive list of eventualities. These are typically built through experience—compiled by outsourced incident response experts or by internal teams who, over time and across multiple incidents, meticulously document which response actions work and which don’t.
But there’s a problem with this approach. As an incident response plan becomes more sophisticated, it also becomes more specific to the organization that developed it and less applicable to others. Consider this your starting point.
Basic response actions: a handy checklist
The aftermath of a breach or other incident can be chaotic, and the last thing you want is to be making up an incident response plan on the fly. The incident handlers on Red Canary’s Cyber Incident Response Team (CIRT) have seen it all, and after reflecting upon their customer successes, landed on some basic response actions that could make all the difference at any targeted organization, whether you’re a tiny startup or a Fortune 500 mainstay.
Security teams can reference this list as they respond to and remediate incidents. From here, teams can iterate and work toward their own custom and comprehensive incident response plans. Whether you’re dealing with a strain of ransomware like LockerGoga or a trojan like Emotet, you’ll often end up following a lot of the same response and remediation actions.
How to use this guide
Below, you will find basic response actions for the following categories of incidents:
- High criticality: Initiate response within 2 hours
- Medium criticality: Initiate response within 4 hours
- Low criticality: Initiate response within 24 hours
Keep in mind that responding to a security incident requires nuance, and the best incident response plans consider an organization’s tooling, internal expertise, and other factors. The guidance listed here is not comprehensive, as it lacks critical organizational context. Use these checklists as a building block to create a brand new response process or improve your existing plan.