Having a cybersecurity incident response plan is essential for any organization that wants to be prepared for a security incident. By being prepared for an incident, your organisation is able to align and respond quickly if and when one happens.

In the last blog, we talked about what an Incident Response Plan (IRP) is, and how it can help inspire confidence to customers and partners. In this post, we’ll be sharing more about the elements within an IRP to help you get started on crafting your own.

The NIST and SANS Incident Frameworks

In your search for an IRP, you might have come across the National Institute of Standards and Technology (NIST) and SANS Institute frameworks that you can use to build your own incident response process. Both frameworks are very similar except when it comes to Containment, Eradication and Recovery; NIST views them as one step with multiple components while SANS views each step as independent phases of the framework.

One thing to note about both frameworks is that they are cyclical processes, meaning that incident response handling does not end at Post-Incident Activity/Lessons Learned. The incident response plan should be reviewed and updated after an organization experiences a cyberattack.

Here are the key points within each framework:

NIST Framework:

1. Preparation
2. Detection and Analysis
3. Containment, Eradication, and Recovery
4. Post-Incident Activity

SANS Framework:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Elements of an IRP

Based on the NIST framework, we’ll delve deeper into each element of an incident response plan, and help scope out the individual sections. As mentioned in the previous blog, an IRP is a documented list of instructions or procedures for your organization to detect, respond and recover from cybersecurity threats.

Here is a list of what could be included in an IRP:

• Purpose and Scope
• Roles, Responsibilities and Contact Information
• Incident Response Criteria
• Incident Response Process Overview
• Process Flow of Incident Response Handling

Purpose and Scope

The first thing that you need to detail out in an incident response plan would be the purpose. This depends on your organisation’s security needs and mission statement.

The second thing would be the scope. Who are the parties affected by this incident response plan? Usually, it would involve any individual that performs work on behalf of your organisation including permanent full-time and part-time employees, contract workers, temporary agency workers, business partners, and vendors.

Roles, Responsibilities and Contact Information

Roles and responsibilities of your incident response team should be documented clearly in your IRP. Your incident response team (IRT) will consist of individuals from all sorts of departments — IT, security, legal, communications, and any other relevant personnel/departments that are required.

To give you an example of the functions of the different roles:

• Incident response managers would be the ones to decide on the appropriate response plan during a cyberattack.
• Security analysts would have to detect any suspicious activity in your organisation’s IT landscape, review security logs, and conduct an investigation into the attack.
• Communication teams would be informing the affected stakeholders regarding the cyber incident once confirmed.

At the same time, you can also provide the contact information of the different teams involved for easy reference. Do put this information somewhere in the document that is accessible, preferably at the front, where it would be easy for the user to access the information.

Incident Response Criteria

One thing that would be useful to make clear in the IRP is your organization’s definition of a security event and a security incident. Not all events become incidents, and a security event should only recognized as a security incident when there is a violation of confidentiality, integrity or availability of your organization’s systems or data.

Here, you would also need to clearly state the criteria of a security incident. Do note that these criteria depends on your organisation’s incident response threshold.

At the same time, you can provide examples of security incidents that would trigger the activation of the IR plan.

Incident Response Process Overview

You may give a general summary of what would be occurring at each phase of the incident framework:

• Preparation for a cyberattack: Mock breaches, staff training, preparation of software and hardware for incident handling.
• Detection and Analysis of threat: First reports or alerts of an incident coming from a customer or staff member are validated and categorised by IRT.
• Containment, Eradication and Recovery: Based on analysis of incident, an appropriate response procedure would be put into place.
• Post-Incident Activity: Update changes to incident response plan based on the review of the cyberattack.

This is just a brief example of how the overview may look like, but you may add more details depending on how your IRT would respond to the incident you’ve scoped out in the previous step.

Process Flow of Incident Response Handling

The bulk of your IRP would definitely be the incident handling process flow. This is the most important part of your incident response plan. In this section, there is no fixed list of activities as different organizations have unique processes and procedures while dealing with a cyberattack. You should understand your organization’s security needs, limitations and policies while going through this part.

Process Flow for Detection and Analysis

To start things off, outline the activities that would occur upon detection of a potential cyberattack.

After a report or security alert, you would want to investigate into the matter to ensure that the incident is not a false positive. You do not want to waste resources and time on a false alarm.

Now, let’s say that the investigation team has validated the cyber incident, the next step is to collect incident data upon discovery and inform the affected stakeholders (i.e. employees, press, customers and the public) regarding the attack.

Process Flow for Containment, Eradication and Recovery

Once a security incident is verified, you need to contain and eliminate the threat. However, there are many types of security incidents and each of them will require different methods and strategies to contain and eradicate the threat. As such, you can list out the possible response procedures that the response teams could use to deal with different threats.

One step you could include is the documentation and preservation of evidence. This is done to help resolve the incident but also for potential litigation.

Finally, it is important to establish a recovery plan. You could list out possible recovery examples that your response teams would choose to implement. For example:

• Re-install the affected system(s) from scratch and restore data from backups if necessary.
• Change users’ passwords if passwords may have been compromised.
• Ensure system is fully patched.
• Ensure real time virus protection and intrusion detection is running.

Process Flow for Post-Incident Activity

The last phase of the incident response procedure involves the activities in the aftermath of the incident. Some of the activities could include:

• Evidence Preservation for legal prosecution
• Assessing the cost and damage
• Review and update of your IRP

This phase is usually the most overlooked despite being the most important. You can list out several questions that the IRT could answer, assisting them in coming up with changes to the IRP.

Incident Response Flowchart

Once you laid out the procedures for each phase of your incident handling process, it can be a good practice if you can provide a visual representation of your incident handling process in the form of process/flow charts. This can give the user a better understanding and clarity into your incident handling process and procedures by breaking down the essential steps of the process.

By creating a comprehensive IRP based on the process given above, you’ll be left with a clear plan of action when dealing with an attack. With regular drills and review, your organisation will have a clear idea of their responsibilities and act quickly when an incident occurs.

Get your Free IRP Template

To make your work easier, we’ve created a template based on the points on the blog. All you’ll need to do is to fill in the information as prompted on the template, and you’ll be ready to launch your incident response plan. Click here to download the template!