What Is an Incident Response Plan and How to Create One

Cyberattacks are nearly inevitable in today’s threat landscape, and preparation is critical to ensure business continuity. Cyberattacks can range from moderate threats to major cybersecurity incidents using sophisticated tactics, malware or a possible data breach. Regardless of the scope or type of incident and the affected systems, having a planned and tested incident response process is critical to preventing further damage and ensuring the continuity of operations for the organization.

Sometimes, an organization may need a full-fledged Computer Security Incident Response Team (CSIRT) to handle this type of action. Regardless of the size or complexity of your incident response plan, existing IT staff and front-line employees will need to know how to handle an attack to ensure business continuity operations. Continue reading to learn more about what an incident response plan is, why it’s important, what to include and how to train your staff to respond to incidents successfully.

An effective incident response (IR) plan is a combination of people, processes and technologies that is documented, tested and trained in the event of a security incident. Incident response plans are designed to prevent data and monetary loss while supporting the restoration of regular business operations.

In some cases, having an incident response plan is required for acquiring digital insurance or achieving regulatory compliance mandates while working with respective parties. Effective incident response planning should include a comprehensive program that coaches your information security and incident response team members, as well as the rest of the organization.

Having an incident response plan is vital to mitigating the impact of security events. There are short-term effects of a security event, such as being locked out of systems or data, and long-term effects, such as loss of trust, law enforcement involvement, fines, loss of business partners, revenue loss, operational disruptions and more.

An independent party, such as an insurer or one of your key technology partners, should verify incident response plans. These parties can provide valuable context specific to your industry vertical and/or technology ecosystem to help you win the day when facing a potential incident. In essence, an incident response plan is a critical component of an organization's cybersecurity posture. Preparing for possible disruptions can be the difference between a minor and a major incident for an organization.

Whether you are newly establishing an incident response plan or redeveloping an existing one, the National Institute of Standards in Technology (NIST) has readily available resources to guide you in designing an incident response plan.

The NIST offers several different models for building an incident response plan:

• Central: A central body, such as a CSIRT, handles the incident response.
• Distributed: Multiple response teams are responsible for a location or affected systems.
• Coordinated: A central team/body conveys response plans to the affected teams.

What model will work best for your business? Answering this fundamental question will help structure the rest of the incident response plan and determine the next steps. Once you choose a model, you can define incident response phases.

There are four incident response phases:

1. Preparation
2. Detection and analysis
3. Containment, eradication and recovery
4. Post-event activity

Each step is essential, but preparation for a potential incident is key. Taking measures to limit the creep of a breach will help you mitigate its effects.

Mitigation Steps

Before communicating that there is an issue, the employee should know how to respond in one of the following ways:

• Power off: Make sure you segment and depower the machine in question, and don’t forget to unplug the ethernet cord. It’s important to note that some information security professionals would argue that powering off the machine is the opposite of what you should do. The truth is that it depends on who is responding to the threat. A trained security professional should not power off the machine, as they have an actual grounding in threat intelligence and may be able to identify the potential incident via the short-term memory on the machine. But your front-line staff shouldn’t have to shoulder that burden of criticality. The best bet is for them to take action to mitigate the spread and prevent further damage.
• Don’t delete: This is the hardest rule to follow because it goes against your instinct. If you delete the file that you believe is malicious, you will delete the trail that allows a forensic investigator to determine the root cause of the incident. This could have massive ramifications with regard to a legal situation like a lawsuit or insurance claim.

Communication Steps

The incident response plan should include a structure of who needs to know about a possible security incident. The front-line responder must know who to inform first and what to do next. Meanwhile, the responding manager communicates with the rest of the employees about the incident, and marketing communicates with customers, shareholders and the public, as needed.

Depending on the nature of the investigation, managers might or might not need to know about it. Most phishing attempts will force the issue, spamming the same illegitimate email message across the entire domain, forcing the need to send a company-wide communication email to inform employees of the incident. Front-line managers should be concerned with their team(s) and their customers in the following ways:

• Manage teams: Front-line managers should understand the situation well enough to give their team marching orders. For example, should their team members continue working? Should they disconnect from Wi-Fi? Should they be turning off their machines? The front-line manager should have these answers readily available.
• Manage customers: If the incident was a phishing attempt, the user's entire address book could have been contacted, and contact information may be vulnerable. Front-line managers should have a template email ready to send out in case of security events.

Your marketing team should have a “break glass in case of emergency” kit ready to go in the event of a cybersecurity incident. It should include the following elements:

• Social media posts: Communicate your knowledge of the issue and your intent to investigate and protect.
• Email to customers: Draft a message that informs your customers and supply chain of the incident.
• Email to employees: Draft a message to send to employees before the mass communication goes out.
• Email to shareholders: If applicable, draft a message to inform shareholders.
• Communications schedule: Create a schedule of how often your team will update and follow up with the customers and supply chain network moving forward.
• Call to action: Set down the call to action and back away. You don’t need your customer base to do anything other than be aware and be vigilant.

Training your team on your organization's security policies is a crucial first step. All employees need to understand how to react the moment an incident occurs.

It is not enough to require staff to sign an employee handbook to avoid future incidents. Employees should understand the types of incidents they could be a target for, such as a phishing attempt. You don’t need everyone in your company to be a security analyst, but you should be able to show them what suspicious behavior outside of company protocol looks like and how to deal with it.

Anyone who handles or manages a system that holds personally identifiable information (PII), including data as simple as contact information records, may need extra attention when you are training your team around incident handling. These files can often be the end game of the threat actor, whether they intend to hold them at ransom or steal them.

Earlier in this article, we defined preparation as the most crucial element of an incident response plan. What exactly does that mean? In many cases, being prepared means being experienced. So, how do you create a cybersecurity breach response experience for your team?

Wargaming could be the solution. Wargaming is one of the most important steps in incident response planning. It sounds intense because it is, but it can be an effective measure to prepare your staff for better incident response. Take your employees, particularly your first responders, through a breach incident exercise—and don’t stop with entry-level employees. An effective wargame exercise also involves the executive suite and multiple departments.

A key component of threat intelligence and risk assessment is organizing a post-incident briefing with your incident response team members after the event has occurred and its aftermath has been uncovered. Following up is vital because employees must know how the breach might have been prevented.

By identifying the root cause of the breach, for instance, through your firewall logs or your security information and event management (SIEM) software, you may be able to automate a response that will prevent the breach in the future.

Post-incident, you will also need to inform your customers, vendors and technology partners of the occurrence to move forward as a community. Maintaining humility is a vital part of incident response. You should assume you will be attacked rather than think you are too strong to be affected. Maintaining humility in your planning, training and communications can mitigate any unforeseen perception hits to your organization.

CompTIA is here to support you throughout your IT career. Get free resources, career advice, and special offers on CompTIA training and certifications!

Looking for more? Check out the entire security awareness training series:

• Multi-Factor Authentication: A Primer for Today’s IT Professional
• What Is Phishing? A Brief Guide to Recognizing and Combating Phishing Attacks
• How To Detect Phishing Attacks
• What Does a Phishing Email Look Like?
• Why You Need a Corporate Acceptable Use Policy
• What Is Network Segmentation and Why Does It Matter?
• How To Create a Strong Password and Password Mistakes To Avoid
• Passwords Are a Pain – But They Are Critical to IT Security