The digital transformation in the industry and increasingly interconnected operational technology not only revolutionize businesses and organizations but increase their vulnerability to cyber security incidents. In 2013, the FBI warned about the rise of cybersecurity incidents that have grown many folds since then, and the damage caused in 2022 alone is estimated to be $6 trillion with $134 billion spent to prevent them. According to IBM, a breach costs an average loss of nearly $4 million to an organization. Ponemon Institute describes that an amount of $11.7 million yearly is spent by a typical organization to prevent incidents while on average they face almost 130 security incidents per year. In such circumstances, data and asset protection for an organization is of crucial importance. An organization’s reputation highly depends on its comprehensive plan and methodology to deal with cyber security incidents.

Incident Response Plan (IRP) is a set of guidelines established to tackle cybersecurity threats. It specifies the methodology, procedures, and tools employed by an organization to identify, contain, eradicate, and remediate an incident at a rate of knots. It enhances the incident response capabilities of an organization to protect data and assets. A carefully curated IRP bring positive changes to an organization, thus ensuring data protection, eliminating resource abuse, gaining customers’ trust, and reducing incident handling costs.

Incident Response Team

The foremost task for the implementation of an incident response plan is recruiting a highly professional team of IT experts known as the Computer Security Incident Response Team (CSIRT). The team devises the plan, executes it, documents it, and fine-tunes or upgrades the incident response capabilities accordingly. Another responsibility of CSIRT is to communicate the event to the organization’s management, stakeholders, legal counsel, law enforcement, and affected customers.

Incident identification is the first concern of CSIRT as the response strategies are merited based on incident type. “One of the first considerations should be to create an organization-specific definition of the term ‘incident’ so that the scope of the term is clear”, states NIST. An incident, more specifically a cybersecurity incident, may involve a data breach, security and policy violation, data leak, packet flooding, phishing, ransomware, system crash, unauthorized access, compromised file sharing, etc. Owing to these threats or violations, the organizations formally set up a roadmap; a coordinated approach to manage such events effectively and enhance incident response capability.

IRP Elements

Ponemon Institute declares in the results of a survey that only 32% of organizations have a fully incorporated mature incident response plan. 77% are troubled with formulating a precise and comprehensive plan and implementing it across their organizations whereas half of them do not even have a concrete incident response plan. The statistics indicate the crucial need for guidelines that help organizations implement an effective plan to deal with the threat of violation, violation, or security breach. Here various elements, phases, templates, examples, and variants of IRP are carefully elaborated.

The IRP has various elements and depends highly on organizations’ scope, goals, requirements, strategies, and functioning. A successful incident response plan includes a mission aligned with the organization’s requirements, essential resources, and management support. Apart from these policy and procedure elements also play an important role. The elements involved are detailed below:

  • Strategies and Goals
  • Senior Management
  • Stakeholders and External Parties
  • Incident Response Team
  • Organization’s Mission and Approach
  • Incident Communication Strategies
  • Incident Response Capability
  • Incident Rating based on Severity
  • Plan Flexibility
  • Consistent Tests and Security Drills
  • Comprehensive SOPs (Standard operating procedures)

IRP Phases

NIST states the benefits of having an incident response plan, “One of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken.” So this incident handling methodology or plan consists of systematic steps, commonly known as phases. The number of phases is defined differently in various studies ranging from four to seven, but are mostly derived from four basic phases defined by NIST,

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Incident Activity

SANS institute identifies Containment, Eradication, and Recovery as separate phases making a total of 6 phases whereas some studies further categorize the Post-Incident Activity into Lessons Learned and Testing. Details of each phase are elaborated below:

Preparation: Preparation involves recruiting an efficient Cyber Security Incident Response Team (CSIRT), pinpointing the high-risk incidents and sensitive assets, and training the team to effectively manage them. This phase involves both preventing the incidents and establishing incident response capability to handle any violent event. Deployment of incident handling communication facilities such as incident reporting, central coordination, secure storage, etc., and incident analyzing hardware/software such as backup devices, forensic software, evidence storage equipment, incident mitigation, restoration software, etc. is a part of establishing incident response capability. On the other hand, timely risk assessments, network security, malware protection, and user training add up to the possible prevention of the incident.

Detection and Analysis: Detection of an incident involves identifying the attack vectors, for instance, infected external device, malicious webpage, brute force, email phishing, impersonation, etc. The most crucial part is the incident detection phase as the recovery depends on accurate detection of the event. Security softwares (antivirus, SIEMs, IDPs, file integrity), logs (network logs, operating system logs, application logs), publicly available information (NVD, CS-CERT), and employees (users, system, and network administrators) play an important role in the detection phase. As the incident is detected, it should be communicated with all stakeholders and documented immediately. Some prominent aspects of documentation are incident summary, current status, actions taken, chain of custody, impact assessment, and gathered evidence. This would be of great help in later phases and can also be used as evidence against the attackers in legal proceedings.

Containment: Containment is critical to prevent further damage to the system. Decisions about complete or partial closure of the system or a segment removal save the resources from overwhelming before reaching out to a final eradication strategy. The availability of services and resources required for the eradication phase is also ensured in this phase. The attacker’s activity can also be diverted to a sandbox to gather more evidence.

Eradication: After the incident is identified and contained, the next step is to eliminate the elements that caused vulnerability and compromised the system. The eradication phase includes removing the malware or breached accounts to allow remediation in the next phase.

Recovery: The Cyber Security Incident Response Team restores the system, remediates vulnerabilities, and ensures the prevention of such events in the future. The administrators or CSIRT recovers the system using backups, password updates, replacing compromised files, or at times rebuilding from scratch. Once the systems are recovered, they are monitored over a particular duration to ensure normal activity as the organization is prone to similar attacks. For large-scale incidents, the recovery period is also increased.

Post-Incident Activity: This phase spans the Lessons Learned and Testing. The documentation of the incident is completed in this phase. The details that are missed during the process are carefully added mostly within two weeks of incident handling. Details of the incident, its happening, containment, and eradication procedures are stored. These details are helpful for further risk assessment, implementation of additional controls, in case of future events, and to measure success rate of CSIRT. The lessons are utilized to further fine tune the processes, test them, and train the users accordingly.

IRP Templates

Some of the IRP templates are available online to help organizations kick start their first incident response plan and boost protection.

Berkeley Security Incident Response Plan Template: The template includes IRP information, system details (data flow charts, network diagrams, logs, inventory, etc.), and whom to contact if an incident is suspected. It highlights the definition of expected risks and incidents, covers the incident response phases, and information about handling compromised systems. It also separates the incidents into two categories i.e. high priority and low priority.

California Department of Technology IRP Template: It is a brief guide for CSIRT and IT staff to handle, contain, and eradicate the security incident along with instructions regarding some common threats and their remediation.

Michigan IR Plan Template: The template begins with the scope and purpose of IRP followed by defining events, incidents, and criminal justice policy. The template clearly states that organizations amend the plan according to their requirements and the nature of events and incidents. It then includes all four phases of IRP information about the IR team and IR process tree.

Sysnet’s Security Incident Response Plan Template: Sysnet template covers the identification of incident, roles and responsibilities of CSIRT, and phases of IRP. It also enlists some common incidents and how to respond to them.

TechTarget’s Incident Response Plan Template: TechTarget provides a detailed template with incident planning, incident handling, and incident response checklists. The procedures, responsibilities, and guidelines are sequentially and logically highlighted.

Thycotic’s Incident Response Template: It is a comprehensive template spanning CSIRT information, roles and responsibilities, incident identification and classification, threat handling, policy regulations pertaining to region and organization, and IRP phases. It also includes a guide to customize the template.

IRP Examples

Apart from templates, some actual examples of the plan would provide a deeper understanding of formulating one’s plan. Some of the examples are as follows:

Berkeley Security Incident Response Plan Example: Berkeley has a template as well as their IRP spanning the information about their CSIRT, the individuals to whom the incident is reported, how to report, and how to deal with the system in case of a breach. This information is followed by systematic steps and phases to implement the IRP.

Carnegie Mellon University Plan Example: The document describes the detailed plan including scope, roles and responsibilities, incident definition, IR documentation, and policy regulations.

Tulane University Plan Example: The plan includes scope, roles and responsibilities, incident definition, incident handling, IR phases, and IR documentation. It also handles the incidents based on criticality.

Wright University Plan Example: The example describes the scope, IR phases, incident handling steps, and list of security tools.

Disaster Recovery Plan – IRP vs DRP

It is observed that Incident Recovery Plan is often confused with a Disaster Recovery Plan (DRP). The latter is a natural occurrence of disaster events such as power failures, accidental data loss, or catastrophic system failures, whereas the former strictly adheres to events related to computer security such as data breach, violation of security protocols and standard security practices, malware installation, etc. To tackle a security incident effectively an organization requires both IRP and DRP.

An Automated Incident Response – SOAR

A robust, real-time, and fast incident response is crucial for an organization’s security. In the era of diligent and sophisticated cybersecurity incidents, manual IR flunks at times. Speed is an essential factor in the IR cycle as the time attackers get in a system is proportional to the damage they caused. It is reported that 88% of professional attackers can infiltrate an organization within 12 hours. According to a survey by Ponemon Institute, 55% of organizations declared that their teams take longer spans to remediate an incident while 60% believe that the severity of the incidents is on the rise.

An advanced proactive IR is required to deal with advanced and modern security threats. Security Orchestration and Automation (SOAR) is introduced to tackle this shortcoming of manual IR. According to Gartner, “SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.”

As soon as the violation is detected SOAR triggers the IR capabilities and ensures fast-paced containment, eradication, and recovery. The automated IR tool works and benefits in the following ways:

  • It provides a fast-paced response in events of violation.
  • It works on security threats round the clock.
  • It integrates with other tools to provide enhanced and complex incident response.
  • It automates repetitive tasks giving CSIRT more time to develop the latest security strengthening techniques.
  • It keeps the logs and documentation about the incidents so CSIRT analyzes and fine-tunes the process.
  • It also generates multi-level reports including analyst-level, SOC manager-level, and CISO-level.