An incident response plan can serve as your master blueprint for navigating the challenges of a security incident, ensuring everything is thought out in advance, secured appropriately, and that everyone on the team knows what to do if an issue does arise. In short, a well-crafted incident response plan will help your organization perform at its best by preparing for the worst.
In our latest ebook, “Prepare for Battle: Building an Incident Response Plan,” we lay out a practical, step-by-step guide to creating an incident response plan in your organization. Based on our team’s experience helping hundreds of customers create and test their own plans, this guide is designed for anyone looking to get ahead of the curve when dealing with an escalated incident. Here’s a sneak peek of what’s covered:
Step 1: Draft the plan
What does your incident response plan need to include?
First, we look at strategies for creating your incident response plan, including how to incorporate the following:
- Key stakeholders (both those on your team and third-party service providers)
- Which assets to protect
- Three areas where attackers often look to gain access to an environment
- How to overcome weaknesses and limitations around protecting certain assets
Taking all of these factors into account, you’ll be practicing defense-in-depth, taking proactive steps to make it more difficult for intruders to access confidential resources without tipping off your team.
From there, we’ll show you how to map your prevention and detection capabilities to an attack chain, involve your team in the process, and lay everything out in your plan. To conclude this section, we’ll cover contingency planning. If critical assets go down or need to be shut down, how will you maintain business continuity? You’ll learn what the biggest areas of consideration are so you can minimize downtime and maximize your defenses.
Step 2: Review the plan
Is the incident response plan clear?
The next section shows you how to review your plan from the lens of practicality and effectiveness. We’ll explain how to:
- Review your plan to be sure it’s written in plain English so that your team can follow it—even in panic mode
- Involve stakeholders in the process and get their buy-in on the plan
- Map your detection capabilities to the attack chain so you can see if the plan holds up, and if not, how to tweak it
The review process is key to developing an effective incident response plan. The steps outlined in this section are designed to give you the confidence that your plan covers all necessary bases.
Step 3: Test the plan
Does the incident response plan hold up in practice?
You’ve drafted a plan—now what? It’s time to test your plan via attack simulation. We suggest a few ways to do this, along with how to evaluate the results. We’ll walk you through:
- Tabletop exercise best practices
- What scenarios to test
- How to review performance
An effective incident response plan takes a village. After going through a few mock scenarios with all of the key stakeholders, you’ll be able to make improvements and fine-tune the plan so that it’s ready for real-world action.
What to do in the case of a real incident
You, your team, and the employees in your company are the most important factors in responding to an incident. Knowing how to bring them all together can go a long way in helping you to create an effective incident response plan.
We’ll walk through:
- What questions to ask during an incident
- How to stay focused (even in panic mode)
- Who else in your company to involve
- How to keep evidence intact
No matter what types of security incidents you face, any effort you front-load into drafting, reviewing, and testing your incident response plan will provide a solid foundation for quick, nuanced reactions that will serve you, your organization, and your outside security partners well.
Like all things in life, practice makes perfect, so be sure to run through your IR plan at a regular cadence; serious training is the only way to cultivate the proper mindset and process your team’s moves into muscle memory.