The 7 Steps to an Effective Cyber Incident Response Plan

Two women going through a checklist

Overview

Data breaches and cyber attacks are ever-present threats to any organization, and threat actors have consistently evolved their tactics and techniques to overcome security controls. While no business can entirely eliminate the risk of a cyber incident, having a cyber incident response plan can help them prepare and respond should a cyber attack occur. 

According to IBM’s Cost of a Data Breach Report 2023, 51% of organizations planned to increase security spending after a breach. The most common investment was in incident response planning at 50% and testing, followed closely by employee training at 46%.

Cyber incident response plan guide

Incident Response plans help businesses before, during, and after a cyber incident. Incident response plans are tailored to individual companies and should contain information about key roles, responsibilities, and guidance on key activities. The end goal of the cybersecurity incident response process is to minimize business downtime while responding to the incident in the most effective way possible. Ideally, incident response plans are living documents that are updated as the business grows and are reviewed and approved by key stakeholders.

Below are the critical considerations for any business developing an incident response plan.

Preparation


Cyber incidents can strike without warning, which makes preparation essential. The preparation phase includes all the steps necessary to build an effective incident response process before a cyber attack occurs, helping organizations mitigate damage and maintain business continuity. 

Before a cyber incident occurs, identifying the key stakeholders who will respond to an incident and documenting their roles and responsibilities is essential. As a best practice, gather contact information for key personnel, train them to understand their role, and support the organization's security posture.

Cyber incidents can impact an organization's ability to access its internal communication tools, data, and documentation, making it worthwhile to gather important records, print them, and store them in a safe place. 

  • Always store a cyber insurance policy in a location where it is easily accessible. Cyber insurance policies contain your policy number, coverage details, and information on how to report a claim. 

  • Cyber risk assessments provide organizations with a snapshot of their exposed risks and mitigation techniques. They help with risk assessments and other security procedure best practices. 

  • Cybersecurity and Infrastructure Security Agency (CISA) recommends meeting with your local law enforcement teams as part of the preparation stage, and documenting how you will report a cyber incident to local and federal agencies.

The preparation phase also includes establishing security controls. Security controls such as multi-factor authentication (MFA) and managed detection and response (MDR) in conjunction with an incident response plan to create a defense in depth security posture. Additionally, this preparation should include a review of logging capabilities to ensure that in the event of a breach, sufficient logging data is present to understand the severity of the event. This strategy layers together multiple security measures to protect an organization's assets before threat actors strike.

During the preparation phase, remember that an incident response plan should be repeatable and help foster coordination across multiple organizations (i.e., an organization's internal IT teams, cyber insurance provider, and breach counsel). It can be challenging to convey information during a crisis, which is why planning and preparation matter.

The National Institute of Standards and Technology (NIST) provides guidance that helps to support organizations’ abilities to detect, manage, and respond to cybersecurity events. The NIST framework for incident response has four distinct phases: preparation and prevention; detection and analysis; containment, eradication, and recovery and lessons learned. According to the NIST, an incident response plan is not just a list of steps to take after an adverse cyber attack, it is a roadmap for implementing an incident response program.

The maturity of an organization’s IT and security teams will determine how active a role they have in certain phases of the incident response process. Cyber insurance providers can play a valuable role in filling gaps in the incident response process. They often have access to partners or vendors with incident response and forensic capabilities. Regardless of in-house technical capabilities, organizations of all sizes can benefit from an incident response plan.

Identification


The first critical step is recognizing something is wrong. Organizations first need to understand their critical business capabilities and potential exposures to identify anomalous activity on a network, both of which should be documented in an incident response plan.

Critical business capabilities are a combination of the people, technologies, and processes a business needs to function. For example, a staffing firm may identify that recruiters need to access HR systems to review resumes and conduct interviews to place qualified candidates. If these systems fail or become unreliable, the business will be unable to perform its core business capabilities. Similarly, the staffing firm may also identify that if the vendor that makes its HR software is hacked, they too could be at risk of a cyber incident as a customer of that software.

Analysis


After identifying anomalous activity and assessing the situation: why do you believe you are experiencing a cyber incident, and what information do you have? 

  • Have employees reported suspicious emails or text messages lately?

  • Have you noticed any fraudulent transactions or suspicious requests from vendors or suppliers?

  • Is your organization's network inexplicably slow or completely inaccessible?

  • If there is anomalous behavior, what have you observed on the affected systems?

  • Did any employees report downloading a suspicious attachment that could be malware?

Some of these signs may indicate serious cyber attacks such as ransomware, or funds transfer fraud (FTF). Alternatively, a sudden flood of suspicious emails or text messages may indicate a phishing attack, which is often the precursor to business email compromise (BEC) or FTF.

Time is of the essence with cyber incidents, and normal communication channels may be impacted and user accounts may be inaccessible. An incident response plan should include alternative communication methods for key personnel identified in the preparation phase.

As a best practice, designate an employee to lead the incident response, commonly called an Incident Manager, funneling communication between both external and internal teams. Smaller organizations may need to direct the Incident Manager to contact their managed security services provider (MSSP) as applicable.

Once an incident is detected, this is also the time to evaluate whether or not you should file a cyber insurance claim. Some cyber insurance providers, like Coalition, offer preclaims services that can provide guidance without costing an organization money.

Containment


After confirming an active cyber incident is taking place, the first goal is to remove the hacker from the network before attempting to restore critical business operations. Cyber attacks such as ransomware will partially or fully encrypt an organization’s network, often leaving them unable to perform critical functions.  

An effective incident response plan should include a list of mission-critical data, networks, assets, or services that should receive primary attention. For example, restoring payment and billing systems may receive priority over other, less critical systems and data.

As a best practice, this phase should identify what, if any, types of data the bad actor accessed and if any data was removed from the system. The Incident Manager should have clear direction in the incident response plan regarding what communications should take place if data was inappropriately accessed or exfiltrated during the incident.

Eradication


The incident response process will attempt to determine the root cause of the incident, but this can be difficult. If the root cause is not determined, it can be difficult to determine the true damage to a network and the team will take appropriate action, such as restoring to an earlier known good state. 

Regulatory and reporting requirements will vary by industry, and what types of data an organization collects and stores. When working with a cyber insurance provider, breach counsel will often be involved and they can provide data assessment and guidance on what, if any, reporting is mandatory. 

In addition to regulatory considerations, this may be the time to report the incident to law enforcement. Information sharing between security teams and law enforcement personnel can be critical, and local and federal law enforcement agencies will have different reporting procedures. Consult your incident response plan and coordinate with both breach counsel and security team members accordingly.

Recovery


After the cyber incident is over, recovery can begin. During this phase, your security team may attempt recovery from backups. This is also when key business systems can be brought back online, and normal business operations can begin again.

The incident response or an external forensic team may also monitor systems using tools such as endpoint detection and response (EDR) to ensure that everything is operating normally and as expected. If the incident response team successfully determine root cause — for example an unpatched vulnerability — remediation steps can also take place.

Lessons learned


A key component of cyber incident response plans is to hold a formal review of the incident. These reviews may be called a retrospective, postmortem, or lessons learned, but the goal is the same:  to review what worked and what did not. Ideally, lessons learned should take place shortly after restoring normal operations.

A formal meeting should be blameless — this is not the time to point fingers. Instead, review your incident response plan and consider what may need adjusting. Ideally, the root cause of the incident (how did hackers access the network) should have been determined, providing organizations with an opportunity to review their security controls and strengthen their security posture.

Did the incident occur due to a phishing email? If so, this is an opportunity to consider rolling out MFA, strong password policies, or other security controls that help IT staff mitigate a future event. To better position the business, organizations with mature IT security capabilities may even elect to use penetration testing to gauge the ability of their network to withstand future attacks from cyber criminals.

This is also an opportunity to review your incident response plan and adapt it as needed. Remember, incident response plans are living documents that can and should be updated as necessary to implement an effective incident response program.

Enhance your client's preparation with Coalition Security Services


Ultimately, cybersecurity is a team-based process. While no business plans to suffer a cyber incident, sharing lessons learned from a cyber attack can make more organizations safer. Still, due to the overall nature of risk and the ever-changing threat landscape, businesses can only partially eradicate risk. 

Amid this ever-present risk, a cyber incident response plan can mitigate the negative impacts of potential threats. It’s much tougher to quickly and efficiently respond to a cybersecurity incident without adequate preparation, security controls, or a practiced response process. Implementing a cyber incident response plan can be the difference between a non-incident and a business-ending event. 

Coalition Security Services helps businesses respond to cyber threats with a unified range of offerings. From simulations to tabletop exercises, our team of cybersecurity responders and other information security professionals can help you create a response plan tailor-made to your organization. Coalition Incident Response (CIR), our forensics and remediation firm, can even provide policyholders with a customizable incident response plan template.

To learn more about Coalition Control, visit coalitioninc.com/coalition-security-services.

Learn how Coalition can help your organization mitigate cyber risks.