8 Essential Elements for an Incident Response Plan

In the first blog of our two-part incident response series, we explained how your organization can jump-start its incident response. In this second part, we’ll focus on the essential elements of an incident response plan—a critical factor for any company trying to recover from an incident quickly and confidently.

Why You Need to Plan Ahead to Successfully Respond to Cybersecurity Incidents

 If you’re one of the 64% of mid-sized organizations that have an active incident response plan, now is the perfect time to dust it off and update it. If you’re one of the 36% of organizations that don’t have an incident response plan, you need to add this project to the top of your to-do list.

Many smaller organizations lack formal incident response plans because their IT staff are overextended and too bogged down by day-to-day activities. However, a well-planned and well-documented incident response plan can save you an inordinate amount of time and effort later on. When disaster strikes, a fast and effective response can make all the difference for your employees, customers, and partners. 

In addition, every organization’s response plan will differ slightly based on their needs, so you don’t want to apply a generic plan when things go sideways. To make the process easier, we’ve recapped key elements you need to consider when creating an incident response plan of your own.

Follow Along and Build Your Plan Now

 We’ve recapped the essential elements of a cybersecurity incident response plan below. Before getting started, you might want to review convenient templates that are available to use for free, including this example from the Government of Victoria, Australia, which will allow you to follow along. With any template that you use, remember to tailor the content and sections to align with your organization’s specialized requirements and our best practices below.

8 Essential Elements for an Incident Response Plan

 All eight of these elements can be incorporated into your response plan for cybersecurity incidents, and can even be extended to non-cybersecurity incidents such as office theft or unauthorized physical access.

1. A Mission Statement

As with any business plan, a robust incident response plan needs to accomplish a series of high-level goals. To maximize its effectiveness, start with a mission statement that is:

• Clear, simple, and actionable
• Agreed to by all major stakeholders and inclusive of relevant business units—not just IT
• Practical and flexible, with routine updates as cyberthreats evolve

2. Formal Documentation of Roles and Responsibilities

Your plan should clearly define roles and responsibilities during a potential attack. Primary owners need to be identified and engaged in formalizing these components in advance:

• A single team to lead incident detection and response. At most companies, a dedicated Computer Emergency Response Team (CERT) is empowered to overcome organizational silos and bureaucracy during fast-moving cybersecurity incidents.
• Processes and point people to engage your company’s legal team, executive management, public relations team, and cyber insurance provider.
• Processes to promptly and regularly engage and notify employees, business partners, and customers about potential incidents. Updates can be provided via press conferences, social media, and conference calls. Err on the side of over-communication.
• A system for quick, automated responses to data privacy and cybersecurity regulations like GDPR and the California Consumer Privacy Act (CCPA), if necessary.

After stakeholder participation is confirmed, conduct tabletop exercises to refine and improve your plan.

3. Cyberthreat Preparation Documentation

 Although different organizations utilize different naming conventions, these activities can be captured in a catch-all preparation category. Here, you will document processes currently in place to prevent and respond to cyber-attacks, including:

• Policies on making potential payments to cyber-attackers‍
• A recap of primary cyber-threat vectors likely to impact your organization
• Cybersecurity awareness training, including anti-phishing educational requirements for employees and contractors, and whether users are encouraged to “say something if they see something”
• Incident classification guidelines, including formal company definitions for cybersecurity events, cybersecurity incidents and data breaches. We’ll discuss classification in more detail below.

4. Incident Detection Documentation

You need a proven process to identify potential incidents. Time is of the essence during an active cyber-attack, and minutes or even seconds can make a difference.

Document the following detection procedures in your incident response plan:

• Processes for analyzing alerts generated by security information and event management (SIEM), intrusion detection, and intrusion prevention systems (IDS/IPS)
• Log management procedures to help differentiate between cybersecurity events and cybersecurity incidents
• An established approach for users to report unusual technological activity and social engineering attempts
• A clear, defined incident escalation process that permits the most significant threats to be prioritized and acted upon

5. An Incident Response Threshold Determination

Once your detection process is documented, determine your criteria for when an incident is declared. Define an incident too narrowly and your response to a major attack could be less effective; define an incident too broadly, and you could tie up valuable resources responding to minor incidents.

The U.S. National Institute of Standards and Technology (NIST) has helpful definitions for a cybersecurity event, cybersecurity incident, and (data) breach, while the SANS Institute takes a slightly different approach to differentiating events and incidents. Determine your acceptable level of risk, then use these definitions as guideposts for when to declare a formal incident. From a practical perspective, the decision will also be based on the company’s willingness to invest additional resources to minimize the impact.

Industry compliance and data privacy mandates that apply to your organization often determine whether you would further categorize a security incident as a data breach.

6. Management and Containment Processes 

Once an incident is formally declared, you’ll need processes in place to manage and contain incidents effectively.

Your incident response plan should include the following activities:

• Unplug any Impacted machines from your network.
• Isolate all resources, systems, users, objects, and applications that have been in contact with the incident.
• Set up a war room—with protected communications—to discuss recovery options and keep stakeholders apprised of your progress.
• Interview all impacted groups and users. 
• If your CERT team manages evidence and interviews contacts, incorporate processes to search for evidence, preserve artifacts, and document interview findings. Otherwise, have a forensic partner on retainer to gather evidence and support mitigation and recovery.
• Make a formal decision whether your Business Continuity/ Data Recovery (BCDR) plan also needs to be activated.
• ‍Take notes on paper, so your recovery plans aren’t visible in computer systems to cyber-attackers.
• Put mitigation strategies and “playbooks” in place.

7. Fast, Effective Recovery Plans

Unsurprisingly, many companies devote much of their time and attention on mitigation and detection of threats, but the higher-level focus needs to be on re-establishing business productivity. To do so, you need to:

• Test affected systems before bringing them back into production
• Bring impacted systems back online as quickly as possible
• Announce formal closure of the incident
• Carefully document the procedures that were followed to resolve the issue

8. Post-Incident Review

Once an incident is closed out, it’s time to learn from it. To do so—and to prevent the incident from happening again—you need to:

• Perform a post-incident evaluation to determine the root cause.
• Patch impacted systems.
• Block suspicious URLs that link to malware sites.
• Incorporate an ongoing incident response feedback process.
• Apply lessons from the incident to prevent future attacks.

Learn More

For more information on how to prepare your incident response plan, review the Best Practices for MITRE ATT&CK® Mapping guide and share it with your team. This beneficial technical resource provides guidance on how to map adversaries' behaviors to relevant ATT&CK techniques.

‍