How to Create an Effective Incident Response Plan
Introduction
An organization’s incident response plan (IRP) should be their first line of defense against attacks and threats. IRPs are manuals that describe how organizations detect and limit the impact of security incidents. They list the different actors within the organization who have specific responsibilities, and provide a series of instructions to determine the scope of the risk, response options and communication protocols. Ultimately, the IRP goal is to reduce the chances of a similar security incident occurring in the future.
In the domain of IT security, IRPs will address data breaches, denial of service/distributed denial of service attacks, firewall breaches, virus/malware outbreaks or insider threats. Two significant possibilities can occur if an organization does not have an appropriate IRP: (1) It may not detect an attack in the first place; (2) It may not respond correctly to contain the attack and recover sufficiently.
Learn Incident Response
What Are the Benefits of an Incident Response Plan?
Incident response plans help organizations detect security threats and limit the impact of security incidents, while accelerating incident recovery. Other benefits include:
- Agility: Once the organization’s security personnel know their responsibilities, they can immediately react to any threat by following the protocols in the IRP
- Damage limitation: Early detection and reaction means a better chance of restraining the attack, and stopping an incident from becoming an outage
- Communication: Poor communication leads to misinformation, which can be as damaging to an organization as the attack itself; clear communication channels and a centralized point of contact mean internal and external stakeholders receive appropriate information at the right time
- Prioritization: Not all security threats are equal and an organization’s IRP should list different sets of instructions that are matched to the seriousness of the threat
- Investigation: If an incident does occur, the subsequent investigative costs will be lowered by an IRP which should help identify the source of the attack and implement additional security measures
- Compliance: If an attack occurs, industry regulators and/or law enforcers may request access to an organization’s data records; if the organization cannot supply these due to not having an IRP in place, financial penalties may be imposed
Creating an Incident Response Plan: 5 Key Considerations
- Link to business operations
An IRP is a security manual. And like many manuals, some organizations will allow it gather dust on a shelf. This creates false assurance and is worse than having no IRP in place. Thus, the first stage of creating a useable IRP is to ask what role information security plays in your organization. Match business needs and operational risk to information security, and allow this to inform your IRP.
People who will own the IRP and respond to incidents need to take control of the process. As well as security teams, various other functions will be involved, including operational and communication managers.
While each incidence of attack or threat will be different, comparable key performance indicators (KPIs) will measure the success, or weaknesses, of the IRP. Sample KPIs include: time to detect and false positives.
The team responsible for the IRP will need tools and resources to function properly. These can include detection software, secure communication lines, training for personnel and access to external security resources.
Simulate a breach. Implement the IRP. Assess its performance. Repeat. Attacks and threats constantly evolve and therefore, the IRP should be tested and updated at regular intervals to ensure it does not gather dust!
The Six Main Components of an Incident Response Plan
To assist in creating a tailored IRP, organizations should be aware of the six standard steps involved in incident response. While the emphasis on each step will vary for different incidents, these six steps will form the backbone of any response.
- Preparation: This stage contains various sub-stages covering organizational policies and practices; response strategy; communication; documentation; personnel; access control; and, training/tools.
- Detection: The attack or attempted attack must be identified by checking various sources such as log files, error messages, firewalls and other intrusion detection systems. This should reveal the type and severity of the attack.
- Containment: This stage can be broken into three sub-stages:
- Short-term containment: Act as fast as possible to limit damage (e.g., isolate infected network node)
- System backup: Capture forensic image of affected system for later analysis and/or evidence
- Long-term containment: Repair the damaged system to operational state while rebuilding a clean system in next stage
- Eradication: Resolve the issue and remove any malicious elements; this may involve reimaging of system drives to prevent reinfection and upgrading of security measures (e.g., patches to fix vulnerabilities).
- Recovery: Bring affected systems carefully back into full production, ensuring sufficient testing, monitoring and validation at each stage; the system may still be vulnerable and avoiding aftershocks is critical.
- Lessons learned: Complete any outstanding documentation and file a report with any other information that may be useful for analysis. Details should include a timeline of what occurred, what measures were taken, areas for improvement and what personnel need to be informed of any changes to security protocols.
Sources
Computer Security Incident Response Plan, Carnegie Mellon
Incident Response Plan, TechTarget
5 Benefits of Having a Proactive Incident Response Plan, GarlandHeart
Notification of a personal data breach to the supervisory authority, InterSoft Consulting
10 steps for a successful incident response plan, CSO
How To Plan For Security Incident Response, Forbes
Incident Handler's Handbook, SANS
Learn Incident Response
Incident Response
Build your skills responding to each phase of an incident, and get a technical deep dive of the tools and techniques used. What you'll learn:- IR phases and stages
- IR tools and techniques
- Conducting memory, network and host forensics
- And more
In this Series
- How to Create an Effective Incident Response Plan
- Disaster recovery: What's missing in your cyber emergency response?
- How will zero trust change the incident response process?
- How to build a proactive incident response plan
- Sparrow.ps1: Free Azure/Microsoft 365 incident response tool
- Uncovering and remediating malicious activity: From discovery to incident handling
- DHS Cyber Hunt and Incident Response Teams (HIRT) Act: What you need to know
- When and how to report a breach: Data breach reporting best practices
- Cyber Work Podcast recap: What does a military forensics and incident responder do?
- Top 8 cybersecurity books for incident responders in 2020
- Digital forensics and incident response: Is it the career for you?
- 2020 NIST ransomware recovery guide: What you need to know
- Network traffic analysis for IR: Data exfiltration
- Network traffic analysis for IR: Basic protocols in networking
- Network traffic analysis for IR: Introduction to networking
- Network Traffic Analysis for IR — Discovering RATs
- Network traffic analysis for IR: Analyzing IoT attacks
- Network traffic analysis for IR: TFTP with Wireshark
- Network traffic analysis for IR: SSH protocol with Wireshark
- Network traffic analysis for IR: Analyzing DDoS attacks
- Wireshark for incident response 101
- Network traffic analysis for IR: UDP with Wireshark
- Network traffic analysis for IR: TCP protocol with Wireshark
- Network Traffic Analysis for Incident Response: Internet Protocol with Wireshark
- ICMP protocol with Wireshark
- Cyber Work with Infosec: How to become an incident responder
- Simple Mail Transfer Protocol (SMTP) with Wireshark
- Internet Relay Chat (IRC) protocol with Wireshark
- Hypertext transfer protocol (HTTP) with Wireshark
- Network traffic analysis for IR: FTP protocol with Wireshark
- Infosec skills - Network traffic analysis for IR: DNS protocol with Wireshark
- Network traffic analysis for IR: Data collection and monitoring
- Network traffic analysis for Incident Response (IR): TLS decryption
- Network traffic analysis for IR: Address resolution protocol (ARP) with Wireshark
- Network traffic analysis for IR: Alternatives to Wireshark
- Network traffic analysis for IR: Statistical analysis
- Network traffic analysis for incident response (IR): What incident responders should know about networking
- Network traffic analysis for IR: Event-based analysis
- Network traffic analysis for IR: Connection analysis
- Network traffic analysis for IR: Data analysis for incident response
- Network traffic analysis for IR: Network mapping for incident response
- Network traffic analysis for IR: Analyzing fileless malware
- Network traffic analysis for IR: Credential capture
- Network traffic analysis for IR: Content deobfuscation
- Traffic analysis for incident response (IR): How to use Wireshark for traffic analysis
- Network traffic analysis for IR: Threat intelligence collection and analysis
- Network traffic analysis for incident response
- Creating your personal incident response plan
- Security Orchestration, Automation and Response (SOAR)
- Top six SIEM use cases
- Expert Tips on Incident Response Planning & Communication
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Incident response
Disaster recovery: What's missing in your cyber emergency response?
Incident response
Incident response
Incident response
Sparrow.ps1: Free Azure/Microsoft 365 incident response tool