Having a cybersecurity incident response plan has never been more important. Effective incident response helps contain the damage of security incidents, which now cost the average small business at least six figures.
With software supply chains getting more complex, attacks affecting more companies, and new threats emerging constantly, it’s only a matter of time before an incident occurs.
A security incident response plan ensures that everyone knows exactly what to do throughout the incident response process. This article explains how these plans work, what they include, and how to create your own.
A well-crafted security incident plan turns what could have been an IT meltdown into a brief disruption. Companies without a plan are rarely so lucky.
$50/MO PER DEVICE
Enterprise Security Built For Small Business
Make cybersecurity simple. Defiance XDR™ is a holistic, turnkey, and fully managed security solution delivered in one affordable subscription plan.
What Is An Incident Response Plan?
An incident response plan describes exactly what to do following the outbreak of a cyber incident to understand the threat, contain the damage, and restore the status quo.
The plan includes many components, from an inventory of all hardware and software to contact information for the incident response team.
Unlike other cybersecurity measures for detecting, blocking, or remediating attacks, security incident plans are not tools or techniques but rather a source of guidance and information to aid recovery.
Understanding The Security Incident Response Lifecycle
One reason that security incident response plans are so important is that the incident response lifecycle includes many different activities, timelines, and stakeholders that all need to be coordinated.
The 5 main stages of the security incident lifecycle include:
- Preparation: The earliest phase of incident response involves preparing for incidents by doing things like cataloging IT assets, assessing security threats, equipping incident response teams, and fine-tuning plans.
- Detection and Analysis: Upon seeing indicators of compromise, the incident response team collects data to understand the type of attack, the method of infiltration, and the potential cyber damage it could cause.
- Containment: Taking steps to prevent the attack from spreading to other systems or affecting additional targets by, for example, disconnecting from networks or quarantining infected assets.
- Eradication and Recovery: Contained attacks need to be eradicated from the system so they don’t cause repeat problems, then all the affected assets need to be restored to the pre-incident state by restoring data backups or re-enabling accounts.
- Post-Event Activity: The lifecycle concludes by reviewing the details of the incident, understanding what went wrong, then making changes to prevent the same incident from happening again.
Types Of Incident Response Plans
Just as important as having a cyber incident response plan is having one that’s suited to the organization. Leading cybersecurity organizations have developed their approaches to incident response. Explore which one makes sense for your organization.
- NIST Incident Response: The lifecycle for the NIST framework joins containment, eradication, and recovery into a single step to expedite and coordinate activities. NIST incident response guidance is widely used and applicable to all.
- SANS Incident Response: The lifecycle for the SANS framework has separate workflows for containment, eradication, and recovery. SANS guidance is more exhaustive than the alternatives, making it appropriate mostly for large or high-risk companies.
- CISA Incident Response: The lifecycle for the CISA framework has separate steps for containment, joins eradication and recovery into one step, and adds a final step around coordinating with the CISA. These guidelines were developed for the public sector.
Some companies may also need data breach response plans that address the unique technical, compliance, and continuity issues that arise when sensitive data is involved in a breach.
Free IT Security Policies
Get a step ahead of your goals with our comprehensive templates.
Free Examples Of Incident Response Plans
Take advantage of these free incident response plan templates, which make it easier to create a plan that checks all the right boxes:
Why You Need An Incident Response Plan
At least 75% of companies are at material risk of cyber attacks, and those numbers are climbing higher as attacks go up in volume, sophistication, and damage. Knowing it’s a matter of when, not if, a cyber incident will happen, companies need to be prepared rather than waiting until the heat of the moment to make crucial decisions.
From ransomware and social engineering to DNS filtering and denial of service, incident response plans are a way to mitigate the risk of all types of security incidents. Ultimately, 100% of companies face unacceptable cyber risks unless they have an incident response plan in place.
While it’s difficult to quantify how much more an attack costs for a company without adequate incident response compared to one with excellent capabilities, one stat stands out:
The median time between compromise and exfiltration was nine days in 2022, but down to two days by 2024, indicating that companies have precious few hours to keep an incident from getting worse.
Is An Incident Response Plan Mandatory?
Requirements to implement incident response plans apply to some but not all organizations. Public sector organizations must have one, as well as some companies in sensitive industries like critical infrastructure.
Cyber insurance policies or business contracts may also have this requirement.
However, even companies that aren’t strictly required to have an incident response plan benefit from implementing one given the high likelihood that every company will eventually be attacked or face a breach.
It may not be a mandatory precaution, but it’s still an essential one.
Incident Response Steps
It’s important to work systematically through incident response procedures without omitting or rushing anything, which a plan helps with. And while every plan and every incident look different, most follow these basic incident response steps:
- Threat Identification: Understanding the nature of the cyber threat, the systems and data that are impacted, and the overall risk to the company.
- Threat Containment: Containing the threat so that it cannot continue moving through the system or cause any further damage.
- Threat Remediation: Removing all traces of the threat from systems, often by taking those systems offline temporarily.
- Recovery and Restoration: Restoring systems back to full strength and fixing any damage the threat caused.
- Review and Realignment: Studying how the incident response went to make changes and improvements.
How To Create An Incident Response Plan Step-By-Step
Much like incident response itself, creating an effective incident response plan involves a careful series of steps. Reference this incident response checklist as your plan develops:
Step 1: Select A Framework
- Look closely at the NIST, SANS, and CISA incident response frameworks.
- Determine which framework aligns with your security needs and business strategy.
- Consider which is most practical given the cyber resources available.
Step 2: Create Security Policies
- Create security incident response policies dictating when/why plans take effect.
- Develop complementary security policies, such as regular data backups.
- Understand how security policies affect incident response efforts.
Pro Tip – Use Templates
- Templates expedite policy creation and ensure complete coverage.
- Rely on cybersecurity policy templates, but always tailor them.
- Do the same with an incident response template.
Step 3: Create An Incident Response Strategy
- Choose goals for incident response – speed, full recovery, etc.
- Develop a strategy to achieve those goals.
- Translate the strategy into a concrete incident response plan.
Step 4: Define Incident Communication Streams
- Organize contact information for all stakeholders, including those outside IT and security.
- Decide when and why to use particular communication channels (phone, Slack, etc.)
- Set expectations for check ins and updates to keep everyone aligned.
Step 5: Establish An Incident Response Documenting System
- Document all incident response activities to keep coordinated and assess results.
- Stipulate where this information goes, what it includes, and who keeps the record.
- Plan to save these documents in case of future lawsuits related to the incident.
Step 6: Select Your Incident Response Tools And Technologies
- Asses what tool(s) it will take to identify more attacks and stop them sooner.
- Look for integrated and automated capabilities.
- Consider using a managed security services provider (MSSP).
Step 7: Incident Response Training
- Provide regular training to keep incident response teams prepared and updated.
- Train the rest of staff how to respond during an attack or breach.
- Plan to review and update training content and methodologies on a set schedule.
Pro Tip – Use Incident Response Managers
- Project strong leadership with an incident response manager.
- Pick someone with extensive incident response experience and proven leadership skills.
- Enlist a Virtual CISO if a suitable candidate isn’t available.
Pro Tip – Create Incident Response Teams
- Choose in advanced who will be involved with incident response.
- Define their roles and responsibilities throughout the response.
- Build a stronger, smarter, faster incident response team over time.
Step 8: Access Control
- Develop access controls with incident response in mind, tying to limit the reach of attacks.
- Consider if/how access controls should change during an incident.
- Ensure the incident response team has access to everything necessary.
Step 9: Identification
- Use indicators of compromise to alert when cyber incidents are in progress.
- Reference threat intelligence feeds for insights.
- Identify the threat accurately to trigger the most appropriate response.
Step 10: Containment
- Determine how to isolate the threat from surrounding systems to prevent further damage.
- Consider what effects containment will have on IT and business continuity.
- Perform forensic analysis on contained attacks to get a complete picture.
Step 11: Eradication
- Outline steps for eradicating threats quickly and completely
- Confirm all traces of the attack have been removed.
- Mitigate the vulnerability that perpetuated the attack.
Step 12: Recovery
- Plan the order and methods for restoring systems post-incident.
- Set metrics and benchmarks to determine if/when recovery is complete.
- Address how to access and restore data backups.
Step 13: Lessons Learned
- Never omit this step as it leads to continuous improvement.
- Explore what worked, what didn’t, and why.
- Create a list of improvements to incident response plans and policies.
When To Test An Incident Response Plan
Cyber threats, offensive and defensive security tools, and tech stack change all the time.
As a result, incident response plans need to be tested for effectiveness and relevance on a regular basis, otherwise, they could prove to have critical gaps and flaws when put into action.
Plan to comprehensively test the plan at least once annually—followed by a period of making changes and updates. Most compliance frameworks recommend an annual cycle, as do many security questionnaires, and it’s a practical length of time to keep pace with changes.
Outline the testing process and schedule in the plan itself.
$50/MO PER DEVICE
Enterprise Security Built For Small Business
Make cybersecurity simple. Defiance XDR™ is a holistic, turnkey, and fully managed security solution delivered in one affordable subscription plan.
How PurpleSec Helps Simplify Incident Response For Small Businesses
For small business, incident response can feel overwhelming. It takes time, tools, and team members along with a 24/7/365 commitment. And if just one element is off, a disastrous data breach could be the result.
PurpleSec helps small businesses excel at incident response by taking the burden off their back. Our managed XDR services, powered by Defiance XDR™, integrate multiple tools for detection and response to extend visibility and automate remediation.
With the PurpleSec team managing that technology, incident response experts are always in the lead.
Get everything you need for incident response for a fraction of what you would spend on traditional managed services. Our mission at PurpleSec is to make enterprise-grade security accessible for those who need it most.
Frequently Asked Questions
How Do You Write A Cybersecurity Incident Response Plan?
Use templates, NIST incident response frameworks, and service providers for help.
What Is The Difference Between An Incident Response Plan And A Playbook?
Playbooks apply to a specific incident rather than ALL incidents like plans.
What’s The Difference Between An Incident Response Plan, A Disaster Recovery Plan, And A Business Continuity Plan?
The first applies to cybersecurity incidents, the second to all disasters (fire, flood, etc.), and the third to any business interruption (COVID, office relocation, etc.).
Article by
Joshua is a diversely-skilled cybersecurity professional with over a decade of cybersecurity experience previously working for the Department of Defense.