What is an incident response plan?

Like other emergency situations, a critical cybersecurity incident can cause confusion, delays, duplication of effort, avoidable errors, and even full-scale chaos as the organization tries to address the threat. Urgent pressure from senior leaders for immediate action can make things even worse.

That’s why it is so important to implement, test, and regularly update an incident response plan. This formal, written document, approved by leadership, provides detailed guidance to security, legal, communications, and IT teams for managing and recovering from a cybersecurity incident. The plan defines roles and responsibilities and describes the desired sequence of activities and actions before, during, and after an incident. It also covers training, updates, and post-incident reviews to identify areas for improvement.

Besides being essential to a strong security posture, an incident response plan may be required by regulations such as HIPAA, PCI DSS, and GDPR.

What types of cybersecurity incidents should a plan address? Before we discuss them, it’s important to explain exactly what is meant by an incident.

• According to Microsoft: “An incident is a group of correlated alerts that humans or automation tools have deemed likely to be a genuine threat.”
• According to TechTarget: “A security incident is an event that could indicate that an organization’s systems or data have been compromised or that security measures put in place to protect them have failed.”

We can also define an incident according to the CIA Triad as an occurrence that threatens the confidentiality, integrity, or availability of information systems and sensitive data.

Following is a list of common security incidents:

• Phishing and social engineering
• Malware, including ransomware, trojans, and keyloggers
• Insider threats
• Brute-force attacks
• Denial of service/distributed denial of service attacks (DoS/DDoS)
• Privilege escalation attacks
• Supply chain attacks
• Email account takeovers

Because specific industries are highly susceptible to certain types of attacks (e.g., ransomware attacks on government agencies; DDoS attacks on online retailers), the plan should take these factors into account. Further, as threat actors adjust their tactics, techniques, and procedures (TTPs) to capitalize on emerging vulnerabilities, the plan must reflect these changes.

Security incidents can cause enormous financial, operational, legal, and reputational damage. A comprehensive, effective incident response plan can mitigate this damage and help the organization recover as rapidly as possible.

Here are some specific reasons why creating and following a formal plan is so beneficial:

• Preparation: Training for an incident using the plan familiarizes teams with the response process for different types of scenarios, helping them to feel comfortable and avoid mistakes.
• Standardization: A clear, step-by-step guide to incident response allows teams to respond fully and consistently each time, without having to debate or guess at the proper course of action.
• Speed: The plan gives responders the confidence to take action immediately, knowing they are following a logical, sequential, and pre-approved process. Fast reactions can reduce the repercussions of an attack.
• Communication: By establishing responsibilities and actions around internal and external communication, the plan can help improve teamwork and reassure customers, business stakeholders, and employees about the management and resolution of an incident.
• Compliance: A formal plan helps organizations comply with regulatory requirements for data protection and privacy.
• Business continuity: Executing an incident response plan can reduce disruptions to business operations that affect productivity, revenues, and customer loyalty.
• Continuous improvement: Reviewing how the incident was managed and resolved can yield valuable lessons for fine-tuning the plan and preparing for future incidents.

Creating, implementing, and maintaining an incident response plan can strengthen an organization’s overall security posture and enhance specific aspects of its security strategy. Following are ways that an effective plan adds value:

• Spotlighting security: The process of building and approving the plan helps to focus the attention of leadership and functional teams on cybersecurity threats. Heightened awareness can encourage greater investment and involvement in threat detection and prevention.
• Uncovering vulnerabilities: Preparing the plan ideally includes performing an assessment of the security framework. Based on this assessment, the organization can take preventive steps such as ensuring backups are performed consistently, identity and access management (IAM) is up to date, and vulnerabilities are patched quickly.
• Mitigating threats: An effective plan that targets and prioritizes threats to the organization, its peers, and its industry sector can accelerate incident response and reduce the impacts of an incident. Tailoring the plan in this way helps security teams focus on incidents that truly threaten the organization.
• Bridging security gaps: Rehearsing and executing the plan and conducting a post-mortem after an incident can reveal gaps in security infrastructure, threat intelligence, and staffing that need to be addressed.
• Answering questions: Going through the full incident response process helps answer crucial questions, such as which attack vectors and TTPs were used, if the attackers were external or internal, and whether sensitive or proprietary information was stolen or compromised. Determining these answers can help with assessing potential legal, regulatory, or reputational damage.
• Preparing for future incidents: Knowledge and experience gained from building and refining the plan, following its step-by-step process during an exercise or actual incident, evaluating the results, and addressing issues contribute to a stronger security posture for the future.

Once an organization has decided to build an incident response plan, the incident response team has a choice: develop a plan from scratch or use one of several templates as the foundation. Templates are available from the National Institute of Standards and Technology (NIST) and TechTarget. Further, the SANS Institute’s model and the U.S. government’s National Cyber Incident Response Plan can be excellent resources.

Many incident response plans comprise the following steps:

1. Preparation —This phase encompasses establishing the incident response team and defining members’ droles and responsibilities, conducting a risk assessment, identifying vulnerabilities, prioritizing threats, and drafting a communications plan.
2. Detection & analysis – This phase includes determining when an incident has occurred, conducting an analysis to establish its type and severity, applying prioritization criteria, and documenting all findings.
3. Containment— Once an incident has been identified, the team must act quickly to minimize damage, such as by taking down production servers or isolating part of the network. Beyond these temporary fixes, the plan should provide for long-term security improvements to the system.
4. Eradication—Next, the team should determine the root cause of the attack, remove malware and other threats, and fix any vulnerabilities that were exploited during the incident.
5. Recovery—After the threat has been removed, the team can carefully return affected systems to production, ensuring that they are restored from clean backups. Systems should be monitored to be sure they are working normally.
6. Lessons learned—In addition to conducting a team meeting to review how the incident was handled, it is important to document all details of the process and implement improvements and changes.

Customization is strongly recommended by most experts to ensure the template addresses the organization’s specific risks, business needs, resources, and regulatory requirements. Tailoring a template calls for consideration of these factors:

• Regulations, industry standards, and short- and long-term business requirements (such as SLAs) that the organization must comply with. The plan should specify any incident reporting that is mandated by government directives, such as the GDPR, or laws.
• Tools that the organization will need to detect, analyze, and manage threats and create reports and other documentation. For example, automated tools using AI and machine learning can help analysts identify potential incidents more rapidly.
• Cloud environments, with their shared responsibility models, distributed deployments, and cloud-native security tools that differ from traditional on-premises infrastructure.
• Resources, including staffing, that are available or must be acquired or outsourced to maintain the plan.

An incident response plan cannot remain static in the face of business changes, emerging threats, and lessons learned from previous incidents. To make sure the plan reflects new threat intelligence and organizational requirements, the team should review it at least annually – and ideally, more often than that.

Triggers for initiating a review of the plan include changes to organizational structure, team composition, or IT infrastructure; new or updated security policies and regulations; and changes in the threat landscape.

Another key aspect of plan management is regular testing and training, especially when new staff join the incident response team. Tabletop exercises and other simulations help keep the team familiar and comfortable with their roles and duties, validate the plan’s effectiveness, or reveal issues.