Incident response plans: Examples and templates

With contributions from Colin Belcourt, Monique Bardawil, and Elizabeth MacDougall.

Related

What is incident response preparedness?

The real cost of a data breach in 2024

Threat hunting 101: An essential part of your cyber defence

In the event of a cyber attack on your business, do you have a plan in place to minimize impact and restore normal operations as soon as possible?

That’s what an incident response (IR) plan is for. These documents are designed to give organizations a framework they can follow to accomplish two major things: in a practical sense, IR plans help you prepare for, respond to, and recover from compromised cyber security. But in a broader sense, they help enhance cyber maturity, letting you strengthen your existing defences.

Effective IR planning and preparedness are vital: the longer it takes a company to detect and address a breach, the more costly the breach. When you do detect an attack, how fast you act may mean the difference between continued business and closing your doors permanently.

Of course, building an IR plan for your business may feel challenging. Where do you start, and what do you include?

That’s why we recommend leveraging existing incident response templates from reputable sources. These documents are designed to help your business map out the processes and procedures to handle, analyze, and appropriately respond to cyber incidents.

In this blog, you’ll learn:

• How to use an incident response plan template
• What your incident response plan should include
• Three potential scenarios that require incident response planning and preparedness

What is an incident response plan template?

An incident response plan template is a document designed to help businesses develop their own IR plan and procedures. These templates are often based on existing frameworks, such as the National Institute of Standards and Technology’s (NIST) Computer Security Incident Handling Guide or the SANS Institute’s Incident Handlers Handbook.

NIST divides IR activities into four phases:

1. Preparation — the work an organization does to get ready for incident response, including choosing the right tools and technology and ongoing team training. Other tasks involve:

• Organizational preparation — what are the roles and responsibilities of your team? Who is involved in a leadership capacity versus an operational one? What roles and responsibilities does every team member have?
• Technology — what data will you collect as part of your IR activities? What technology will you use? How will you make sure these tools and this data are available to the team members who need them?
• Planning details — when is the plan activated? What happens when it is activated? Who does what?

2. Detection and analysis — this phase focuses on building processes to ensure your team can accurately spot an attack.

• Detection involves gathering data from IT systems and security tools in an effort to detect signs of compromise.
• During analysis, your team will assess and investigate the collected data to identify abnormal activity.

3. Containment, eradication, and recovery — in this phase, the goal is to minimize the impact of an incident and get your business back to secure operations as soon as possible.

4. Post-event activity — this phase focuses on taking the findings of an incident and applying them to strengthen defences and cyber security capabilities. What did your team learn? Are there areas for improvement?

The SANS Institute’s framework, meanwhile, expands this approach into 6 distinct phases, splitting some of what NIST categorizes as a single set of activities apart and emphasizing their individual importance:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned

Regardless of which framework your incident response plan template draws on, they provide a roadmap you can follow to develop your cyber security capabilities.

Why use a framework for IR planning?

IR plan templates help businesses develop effective response capabilities that follow cyber security best practices, no matter what resources they have to work with. Knowing how to get started and what processes you need to follow to deal with an attack isn’t always straightforward.

Small and mid-size businesses (SMBs) frequently lack the resources and expertise of larger enterprises, but they still face the same cyber threats. Put simply, no matter how small your business, you’re still a target, and must understand how to respond to an attack in order to protect critical operations and confidential data.

In response to these challenges, many SMBs leverage third-party cyber expertise to access skills, technology, and information. Using an incident response plan template gives SMBs a way to access that expertise. All those best practices have already been identified and mapped out for you to follow.

What’s more, using an IR plan template may also help you obtain new business contracts or even earn lower cyber insurance rates. These plans help formalize your cyber security policies, giving you a reference you can point to when potential business partners or regulatory bodies want proof that you’re taking necessary precautions to protect data, intellectual property, and operations.

What’s in an incident response plan template?

As mentioned above, most incident response plan templates will follow a common framework with similar elements. The exact steps will vary from business to business based on individual needs and requirements.

Broadly speaking, most IR plans will include the following:

An overview with objectives and scope

Determining the end goal of your IR plan, including specific recovery objectives, can help focus your efforts to better address your company’s immediate and urgent threats. This may include specific statements about the plan’s scope, including exclusions that limit its scope — for example, if you have multiple offices, your IR plan may only focus on a single geographic location, with other plans in place for other locations.

The IR scenarios the plan will address

In some cases, organizations draft multiple IR plans in response to major threats. While this specificity may be helpful, a single document to refer to in the event of an emergency will make it more likely that the individuals responding to the incident will take the right steps.

Producing a single, overall plan, with specific considerations for key scenarios, can be a great way to address these needs. To help get started with these specific scenarios, consider the following three cases:

• Loss of data communications resulting from an attack on your IT network
• Loss of technology resulting from ransomware, malware, or even theft
• Loss of access to confidential data or intellectual property

Incident response roles and responsibilities

In the event of a cyber attack on your network, who will put your plan into action? Determining the key roles on your response team ahead of time and having them rehearse their IR plan will help ensure they can work faster and with more confidence. Be sure to include titles, contact information, and individual responsibilities to minimize uncertainty over who handles what.

Let’s take a quick look at some of the major roles and responsibilities of an incident response team:

• Team lead: the team lead coordinates IR team activities and reports to senior management. They’ll guide and direct IR activities.
• Lead investigator: responsible for conducting the primary investigation into an event and guiding other analysts.
• Investigators and analysts: these team members diligently examine the situation and assess the extent of damage, determine where an attack began, and gather information to aid in and expedite recovery.
• Incident management: these team members work to repair affected systems or restore access to data.
• Communications manager: this individual will head up your company’s communications strategy for both internal stakeholders and external audiences.
• Customer support lead: you should have a team member ready to communicate the impacts of the incident to your customers, regardless of whether or not they are directly affected.
• Legal representation: if an incident develops into criminal charges, having a legal rep on your team to document and maintain a chain of custody is vital.

Of course, not all SMBs will have the resources necessary to fill each of these roles. For example, a legal representative with the cyber security background needed to ensure chain of custody is a highly specialized role that smaller organizations will have difficulty accessing. Partnering with a third party or external breach counsel can help fill the gaps and ensure you’ve got the coverage you need.

A sequence of incident response events

This section will be the meat and potatoes of your incident response plan: the actual sequence of events your team will follow to respond to an active cyber threat. Think of this as a guideline to help you identify the steps you should take to proceed with your response, keeping in mind that not everything will be relevant to your situation.

As we’ve mentioned before, this exact process will vary depending on the nature of the attack and your business. Here’s a sample sequence of events, drawing from both SANS and NIST publications:

Convene

• Bring together those who are aware of the incident
• Engage incident response team members
• Remind all of the responsibility to maintain confidentiality
• Communicate effectively and efficiently

Identification

• Determine whether an incident has occurred and confirm it warrants a response
• Perform triage and ensure a common understanding of how it was detected and who is aware
• Synthesis and analysis:
  • Normalize data to provide context and make information accessible
  • Examine logs and recorded network data, comparing incident data with historical data and applying forensic techniques
  • Identify anomalies, indicators of compromise, and attack techniques
  • Logs from computers, systems, switches, and hardware devices
  • Disk images, if available, for digital forensics documentation
  • Deployed monitoring, including network capture and endpoint APIs
  • What was accessed?
  • How long was it accessed for?
  • What was taken?
  • What actions did the attacker take, and what was the outcome?

  Communication

  • Invoke communications plan respecting need-to-know
  • Ensure reported information is factual, based on the evidence available at the time
  • Ensure a point of contact always knows the incident’s status

  Containment

  • Implement detailed incident response activities
  • Prevent further damage by containing the incident, i.e., isolating the infected machine from the corporate network or disabling a compromised account
  • Determine the source, what vulnerability was exploited and plug the holes
  • Continue impact/damage assessment and confirm the scope of the incident
  • Determine what was changed (e.g. files, connections, processes, accounts, access)
  • Acquire, secure and document evidence and preserve the chain of custody
  • Continue taking notes, ensuring a detailed log about what was found and what you did about it

  Eradication

  • Eradicate the incident
  • Remove all traces of the infection or other incident
  • If more affected hosts are discovered (e.g., new malware infections), ensure to perform the identification steps on the newly identified examples, then contain
  • Ensure the incident cannot re-occur by taking appropriate action, such as applying system patches or carrying out social engineering detection training
  • Further understand the attack vector
  • Continue taking notes, ensuring a detailed log
  • Ensure any compromised machines are removed or formatted before placing them back into service

  Recovery

  • Return affected systems to an operationally ready state and replace those that cannot be repaired
  • Monitor closely to ensure the incident does not re-occur or is not still ongoing
  • Ensure systems are restored from a trusted source
  • Confirm the affected systems are functioning normally
  • Monitor, watch, and observe for a minimum of three months to catch any anomalies that were missed

  Report

  • Hold a “lessons learned” meeting within two weeks of fully recovering from the incident
  • Create a follow-up report, which should include:
    • When the incident occurred
    • How the incident occurred and what happened
    • What caused the compromise
    • Why it occurred
    • The actions taken to restore secure operations
    • Why your organization was targeted and what steps you should take to improve your defences

    Ready to start building your IR plan?

    Building an incident response plan might seem daunting but using an existing template can help you overcome the challenge and focus on the bigger picture without getting lost in the details. It’s always a good idea to leverage existing expertise and frameworks from reputable and governing organizations in your area.

    But if you’re still not sure where to start, we’ve got you covered. Having an actionable response plan in place is the most effective way to lower the costs and impact of a security incident. Field Effect can work with you to develop a customized incident response plan that will help you bounce back from an attack.