Guide to Creating an Effective Incident Response Plan

Andrew Douthwaite

October 9, 2021

Last updated August 19, 2022

Summary:

  • Incident Response Plans (IRPs) are instructions that tell your team how to detect, respond to, and recover from cybersecurity threats.
  • Strong IRPs have 5 steps: Hunt & Alert, Investigate, Remediate, Review, and Repeat.
  • IRPs are living documents that should include a mission statement, roles and responsibilities, likely cybersecurity incidents, and emergency contact info for relevant parties.
  • Your organization’s IRP should include at least one person from your executive team, IT department, legal team, HR department, and public relations team.

It’s always best to take a proactive, rather than a reactive, approach to almost any problem or potential problem. In a world where breaches and other cybersecurity threats and incidents have become commonplace, it is no longer a question of if your organization will be targeted, but when.

To best safeguard your organization’s digital assets and reputation, you need to develop a robust yet flexible incident response plan tailored to your company’s unique needs. A comprehensive plan allows you to respond to incidents quickly and effectively and is crucial for minimizing damage and recovering from an incident.

If you have experienced or are currently experiencing a security incident, please contact our team right away by calling (855) 422-8283 anytime 24/7/365. You should also consider reviewing our guide: Hacked? Here’s What to Know (and What to Do Next).

See also:

What is an Incident Response Plan?

At its core, an incident response plan is a set of instructions developed by your team (and likely with assistance from your managed security services provider) that tells your team how to detect, respond to, and recover from a security incident. Though most incident response plans tend to be technologically centered and focus on detecting and addressing problems such as malware, data theft, and service outages, a security incident can have a widespread impact on all of your organization’s usual activities. As such, a good incident response plan will not only provide instructions for your IT department but will also provide guidance and critical information to other departments and stakeholders, such as:

  • Human resources
  • Finance
  • Customer service
  • Employees
  • Your legal team
  • Your insurance provider
  • Regulators
  • Suppliers
  • Partners
  • Local Authorities

If not handled correctly, a security incident can also tarnish your reputation and damage your relationship with your clients, sometimes irreparably.

Create a strong response plan in order to keep downtime to a minimum

The 5 Phases of an Incident Response Plan

While NIST has drafted a guide outlining how to handle computer security incidents, these general guidelines only offer a starting point. For maximum efficacy, your organization’s incident response plan needs to be both specific and actionable and clearly specify who needs to do what and when. All key stakeholders need to be involved in the plan development process and kept up to date on any changes made to the plan. 

Though your plan will need to be tailored to meet your organization’s unique cybersecurity needs, all VirtualArmour Cybersecurity Incident Response Plans follow the same basic phase format: Hunt, Alert, Investigate, Remediate, Review, and Repeat.

Phase 1: Hunt & Alert

The only way you can respond to a threat is if you know it is there. All organizations should take a proactive, rather than a reactive, approach to their cybersecurity. This includes actively hunting for potential security threats and reviewing your security protocols frequently to ensure they are continuing to meet your organization’s needs. 

To hunt for security threats, you should be internally monitoring all company email addresses to look for signs of trouble such as phishing scams and invest in security tools that will alert you to any potentially suspicious activities. 

Should any suspicious activities be detected, you need to have a process in place to ensure your internal security team or MSSP is made aware of the issue so they can help you determine if the threat is credible. Should you discover a threat during this preliminary phase, you also need protocols in place to: 

  • Assess how serious the threat is
  • Determine whether a breach is imminent
  • Activate your security incident response plan (including alerting all internal and external stakeholders)
  • Allocate resources (including pulling employees away from regular tasks to deal with the threat)
  • Address the threat (ideally before any significant damage has been done)

Why You Should Consider Pen Testing

An excellent way to identify gaps in your security before they can be used against you is pen (penetration) testing. Pen testing involves hiring an ethical hacker to attack your network and other IT infrastructure and look for gaps in your defenses that could be exploited. 

As the hacker stress tests your cybersecurity, the hacker notes any flaws they managed to exploit to gain entry to your system so that you can address these shortcomings and shore up your defenses. Once the test is complete, the ethical hacker reviews their findings with you and offers recommendations to improve your security. Essentially, by hiring a good guy to look for deficiencies in your current security posture, you can address those issues before the bad guys discover and exploit them.

Phase 2: Investigate

During an incident, your top priority needs to be containing the threat and minimizing damage. Once the threat has been dealt with, you should review both the threat and your response to help ensure the same threat cannot be used against you again.

Phase 3: Remediate

Once you have contained and eliminated the threat, it is time to begin cleaning up the mess. Your recovery and remediation process should include notifying all appropriate external entities (including your customers, relevant regulators, and potentially impacted third parties such as suppliers). Impacted external entities should be told the nature of the incident (ransomware attack, DDoS attack, etc.) and the extent of the damage.

The remediation process also needs to involve gathering evidence so that it can be reviewed by your security team, your MSSP, and regulators, as well as law enforcement (if appropriate). Once you have all the evidence, you will need to perform a root cause analysis to determine the primordial problem and determine what steps need to be taken to address the primordial problem and ensure a similar incident can’t happen again. 

The remediation process may also involve:

  • Replacing damaged or compromised equipment
  • Restoring systems from backups
  • Addressing any vulnerabilities the attacker was able to exploit
  • Updating your security controls (changing passwords, installing security patches, etc.)

Phase 4: Review

If you are targeted, one of the best things you can do to best safeguard your organization going forward is to learn from what transpired. As part of your review process, make sure you gather all internal and external team members involved and discuss your response to the incident and identify any shortcomings or oversights that need to be addressed.

As part of this phase of the incident response plan, the VirtualArmour team will help you assess your current incident response plan and offer suggestions for improvements. 

Practice Makes Perfect: The Benefits of Tabletop Exercises

As part of your ongoing security training, you should consider running tabletop exercises with your security team as well as all internal and external team members that are involved in responding to security incidents. 

Tabletop exercises work like fire drills, presenting your team with a hypothetical security incident and allowing them to practice responding in a no-stakes environment. Not only do tabletop exercises give your team valuable practice before an incident occurs, but they also allow your organization to assess the efficacy of your current incident response plan so that any shortcomings or other problems can be addressed before an incident occurs.

Phase 5: Repeat

Just because your team managed to identify and effectively respond to a security incident doesn’t mean your organization is safe forever. Constant vigilance is required to ensure your team is always ready to respond to threats, regardless of what attackers throw at you.

Does My Organization Need an Incident Response Plan?

All organizations, regardless of size or vertical, need to have an incident response plan in place. 

When Should My Organization Begin Developing Our Incident Response Plan?

Because you will never know when disaster will strike, you should begin developing your incident response plan as soon as possible. If you aren’t sure where to begin, we suggest you get started by:

  1. Reviewing the NIST guidelines
  2. Create the living document your plan will reside in and meet with stakeholders to begin fleshing it out. This document should include:
    1. Your incident response mission statement: The job of this section is to outline why you need an incident response plan.
    2. Roles and responsibilities: Explicitly name who is involved in the incident response plan, why they are involved, and their role should an incident occur.
    3. Incidents you are likely to encounter: This section will outline what types of incidents your organization is likely to encounter (ransomware attacks, DDoS attacks, etc.) and how you will respond to them.
    4. Emergency contact details for all relevant parties: This includes both members of the incident response team and regulators. You may also want to consider including contact information for local law enforcement here as well. 

Assembling Your Team: Who Needs to Be Involved While Developing & Actioning Your Incident Response Plan

Who is involved in developing and actioning your incident response plan will vary depending on your organization’s specific needs. However, all organizations should include at least one person from each of the following stakeholder groups.

Your Executive Team

At least one C-suite executive (ideally your CTO) or a similarly ranked decision-maker should be included. This is not only vital to ensure your executive team is kept in the loop but can make it easier to secure resources quickly should an incident occur. 

Your IT Department

Your internal IT department will be integrally involved in any response, so it is vital that they are given a seat at the table. You need to make sure you have a good relationship with your networking team, database team, and developers, though whether you wish to include representatives from these sub-groups will depend on the size and structure of your organization. You should also strongly consider working with your MSSP during the development phase since they will be able to offer valuable insights and approaches you may not have considered.

You should also consider engaging with your hosting providers and service providers, though this may simply involve sharing your finalized plan with them and informing them of any changes, so they are up to date if an incident occurs.

Your Legal Team

Security incidents can become a legal nightmare, so your legal team or company lawyer must be included. During the incident response plan development process, you will need to make decisions regarding what is reported and to whom. Your incident responders should be chosen for their technical skills, not their legal skills, so your legal team must be intimately involved in the development process.

Human Resources

Many security incidents occur because of users (such as an employee falling for a phishing scam), so having a member of your human resources team at the table is critical. Your incident response team needs to be able to handle user-caused incidents delicately and respectfully and ensure your response plan complies with all relevant laws from a human resource perspective. HR can help ensure compliance and should be involved in the incident response plan development process. If an incident occurs, they should also be pulled in on an as-needed basis. 

Your Public Relations Team

Security incidents can quickly become public knowledge, whether you are ready to share the details or not. Like your HR team, your PR team should be kept in the loop during an incident, but their expertise is particularly invaluable during the remediation phase.

Looking for Guidance or Advice? VirtualArmour is Here to Help

Creating an incident response plan from scratch may seem like a daunting task. So much rides on having a robust plan in place that is flexible enough to be quickly updated to ensure your organizations’ evolving needs are met. Many small and medium-sized organizations do not have the bandwidth or expertise to develop a good incident response plan on their own. That is where MSSPs like VirtualArmour come in. 

Our team of security experts has extensive experience working with organizations of all sizes in a variety of verticals, including healthcarefinancial servicesretailenergy, and service providers. For more information about the importance of having a security incident response plan, or to being work on your own plan, please contact our team today.

search your hardware and processes to make sure your prepared for an incident

Post Categories

Related Posts