5 Things All The Best Incident Response Plans Include

5 Things All The Best Incident Response Plans Include

We are often told that security is a game of when, not if – data breaches and cyber attacks for a long time have not been a roll of the dice but instead, a ticking clock. Cybercrime is such a lucrative and somewhat untraceable activity that the cross-hairs do not discriminate.

With this in mind, the best advice that security practitioners can give is not to solely focus on defence, but to also prepare for the worst. Plan for a successful attack, a data breach or the exploitation of a vulnerability; and know what to do next.

[You might also be interested to read “Data Breaches and the GDPR – 1 Year Later“]

This is commonly known as incident response planning; something which has become very prominent in the past five or so years, particularly with large organisations who have a SOC (Security Operations Centre) or those who comply with the various regulations and security standards in existence.

In this blog post we will look at some of the areas which any good incident response plan should include, so that you can ensure you are best prepared for the inevitable.


1. Clear Roles of Responsibility

During a cyber incident, time is critical; and the worst possible scenario is the inefficient bedlam of your IT team running around with no clear direction. When an incident begins, each member of the responding team should know what their role is and what they are expected to do.

Executing your response in the correct order, by the correct person and at the right time will shorten your response time and deliver the outcome which you have planned for.

This might seem simple but often incident response is poorly understood and therefore only executed by the author of the plan and other well-meaning members of the team.


2. Threat Classification

How you deal with an incident is very much dependant on the type of incident being encountered. Your response team will need to know how to prioritise and which stages to fulfil in order to contain and eradicate the threat based on this classification.

You should risk assess your IT security posture and classify those attacks which you think are most likely to be encountered or succeed.

[Have you checked out “SMB’s: Cybercrime’s Number 1 Target” yet?]


3. Stages of Response

The SANS Institute recommends that all incident response plans detail and follow six key steps for dealing with any incident:

  • i. Preparation
  • ii. Identification
  • iii. Containment
  • iv. Eradication
  • v. Recovery
  • vi. Lesson Learned


4. Escalation and Feedback Times

We all hate working under pressure, let alone adding a clock to mix.

In any incident, there should be a response team leader who is responsible for keeping track of progress and updating key stakeholders regularly. It is tempting to only update management once the incident is dealt with, but this is a simplistic view of what this incident means to the organisation as a whole.

Depending on the nature of the incident, the board or other senior leaders might be legally culpable; or they might have mandates to inform and communicate with third-parties. For this reason, communication is absolutely critical, even when there is no update to give.


5. The Collection of Evidence

Depending on the nature of the incident, it may be that human resources, law enforcement or a government agency are to be involved.

When proving a case against someone, the proper collection and documentation of evidence is of high importance, so that it may be scrutinised in the defence of the accused.

Good incident response plans should include not just how to stop or recover from an incident, but also how to record: the evidence, key stages and actions taken.