Explained: Security Incident Response Plan

When there’s a cybersecurity breach, you need to act quickly. You need the right people and the right plan to mitigate the threat and any damage. A security incident response plan will help guide you through a formal investigation and remediation process.

When there’s a significant cybersecurity incident, you don’t want to have to rely on notes or your memory to remember what to do. Attacks can cause customer, proprietary, and other sensitive data to be compromised. You need to respond quickly to fix the problem.

What Is a Security Incident?

One of the first things you’ll need to do in your organization is to define what a security incident is. While it may vary depending on your data and organization, the National Institute of Standards and Technology (NIST) provides several examples of incidents, such as:

  • A botnet sends a significant volume of connection requests, resulting in a distributed denial of service (DDoS) and prevents users from accessing systems
  • Phishing schemes or malware embedded into documents
  • Ransomware attack
  • System entry by unauthorized users leading to exposure of sensitive information

For nearly every organization, it’s not a matter of if you will have a cybersecurity incident, but when. Cybercrime will cost businesses some $6 trillion in 2021.

Incidents are not limited to cybercrime, however. Service outages and system failures are damaging to operations as well. IT teams need a plan for business continuity and data recovery for any incident that occurs.

What Is a Security Incident Response Plan?

Your security incident response plan will contain assignments and steps for how your organization will respond to an incident. It should cover everything you need to do to contain the incident and restore operations.

Many organizations, including NIST and the SANS Institute publish formal frameworks for security incident response planning.

So, what should be included in your security incident response plan? Let’s break it down step by step.

What Should Be Included in a Security Incident Response Plan?

Your security incident response plan should provide a comprehensive document so that everyone knows what they need to do in case of an incident.

You should begin by doing a network assessment.

  • Identify network architecture, connections, and storage
  • Identify mission-critical components
  • Reduce single points of failure, lack of redundancies, and failovers
  • Create a workforce continuity plan to enable continued operations in case of an incident

Roles and Responsibilities

In case of an incident, everyone needs to know the role and responsibilities.

Your security incident response plan will likely include both internal and external team members across departments. These are the people that make up your Cyber Incident Response Team (CIRT). For example, you need to answer these questions:

  • Who will be the point person for managing the incident?
  • What internal or external tech personnel are needed?
  • Who will handle documentation?
  • Who will communicate with the staff?
  • Who will communicate with customers (if required)?

You will want to define roles and responsibilities, including communication pathways and protocols.

Incident Communication Protocols

Communications will include both internal and external resources.

Depending on your industry, you may be required to notify government agencies or customers within a prescribed period. You will want to detail that and make assignments as failing to report some incidents can lead to significant fines and penalties.

There are state, federal, and international laws that have compliance requirements. In the US, for example, all 50 states have regulations on top of federal regulations. The EU’s GDPR and California’s CCPA have some of the most stringent requirements. HIPAA, SOC 2, and other regulations may also apply in certain circumstances.

You may find the template from the American Institute of Certified Public Accountants (AICPA) in case of a breach of personal information helpful.

You should also have information readily available to contact insurance carriers, legal counsel, and law enforcement if needed.

Response Procedures

Incident types should be identified and prioritized.

For example, a workstation that becomes inoperable will need attention but is a minor incident. An on-prem server failure or inability to connect to a cloud server might be a moderate incident (depending on your failover and backup capabilities). A cyberattack or network intrusion with malicious intent would be a high priority.

The level of your response will be triggered by how you establish priorities.

Determination and Analysis

Once an incident occurs, teams must quickly detect the deviation and assess the scope of system impact. Once a threat rises to the level it requires immediate intervention, the CIRT team should be notified.

Threats should be identified to find the initial compromised device and analyze whether the threat has spread through the network. If an incident can be isolated quickly, remedial action can be taken right away.

A Step-by-Step Guide for Implementing Security Incident Response Plan

Your security incident response plan should include these seven steps.

  1. Contain the incident
    Isolate any compromised devices from the rest of the network to try to stop the threat
  2. Mitigate any ongoing incident
    Identify unique indicators of compromise (IOCs) so that you can search your entire IT estate to find any further evidence of compromise
  3. End the threat posed by the incident
    Once an incident has been contained and is no longer spreading, eradication can begin. Depending on the incident, this could mean disarming and removing malware, disabling accounts that have been compromised, patching devices, and other measures.
  4. Restore operations
    The next step is restoring operations. In the short term, this may mean having alternate ways for employees to access information, such as remote sites or cloud backups. Long-term, the goal is to get your organization back up to full speed with normal services.
  5. Remediate issues that may have led to the incident
    Once things are back to normal, an analysis should occur to identify issues that allowed the incident to occur. The first step is to plug the hole, so a repeated incident doesn’t occur — even if the patch is only temporary.
  6. Postmortem review of the incident including root cause analysis
    Your Post Incident Review (PIR) should focus on root causes analysis with an eye towards a more permanent solution.
  7. Overall plan effectiveness evaluation
    The last step in the security incident response plan is to assess your organizational response to the plan. Scenarios and penetration tests are great, but you will get your best information when an incident occurs. Discuss what worked, what didn’t, and where your plan falls short. Then make the necessary changes for a better response next time.

As you can see, your security incident response plan playbook is not a static document. When an incident occurs, it’s time to update your plan. When you add additional network resources, change cloud providers, or add third-party connections, you need to update your plan.