Watch an on-demand demo video of EDR in action
6 Incident Response Plan Templates and Why You Should Automate Your Incident Response
Catastrophic security breaches start as alerts, which roll out into security incidents. If you catch an incident on time and respond to it correctly, you can save the enormous damages and clean up efforts involved in a breach. Not all breaches are preventable, but a robust, tested and repeatable incident response process will reduce damage and costs in almost all cases.
In this article:
- Learn what is an incident response plan
- Incident response processes recommended by NIST and SANS
- Six incident response templates—summary of contents and direct links
- Automated incident response with Cynet Response Orchestration
What is an Incident Response Plan?
An incident response plan is a practical procedure that security teams and other relevant employees follow when a security incident occurs. It is critical to enable a timely response to an incident, mitigating the attack while properly coordinating the effort with all affected parties.
Some organizations have a dedicated incident response team, while others have employees on standby who form an ad-hoc incident response unit when the need arises. Other organizations outsource incident response to security organizations—for example, Cynet provides a managed incident response service based on our holistic security platform.
Incident Response Plan Frameworks
There are two primary frameworks you can use to plan and execute an incident response process, created by NIST, a US government standards body, and SANS, a non-profit security research organization. They are summarized below:
| NIST Incident Response Process | SANS Incident Response Process |
|---|---|
| 1. Preparation | 1. Preparation |
| 2. Detection and Analysis | 2. Identification |
| 3. Containment, Eradication, and Recovery | 3. Containment |
| 4. Post-Incident Activity | 4. Recovery |
| 5. Recovery | |
| 6. Lessons Learned |
Read our in-depth posts on the NIST Incident Response and SANS Incident Response frameworks.
Six Incident Response Plan Templates
When building your incident response plan, it is much easier to start with a template, remove parts that are less relevant for your organization, and fill in your details and processes. Below are several templates you can download for free, which can give you a head start.
1. Cynet Incident Response Plan Template
Created by: Cynet
Pages: 16
Main sections:
- Incident Response Team Responsibilities
- Testing and Updates
- Incident Response Process Overview
- Incident response checklists: Incident Discovery and Confirmation, Containment and Continuity, Eradication, Recovery, Lessons Learned
2. IltaNet Incident Response Plan
Created by: International Legal Technology Association
Pages: 5
Main sections:
- Incident response team
- Incident response notifications
- Employee responsibilities
- Types of incidents
- Definition of a security breach
- Classification procedure for potential incidents
- Response procedure
- Recovery
- Periodic testing and remediation
3. Thycotic Incident Response Template
Created by: Thycotic
Pages: 19
Main sections:
- Roles, responsibilities and contact info
- Threat classification
- Compliance and legal obligations
- Phases of incident response and actions taken.
Get .DOC file (requires registration)
4. Sysnet Security Incident Response Plan
Created by: Sysnet
Pages: 11
Main sections:
- How to recognize a security incident
- Roles and responsibilites
- External contacts
- Payment cards—what to do if compromised
- Incident response steps
- Report, investigate, inform
- Maintain continuity
- Resolve and recover
- Review
- Specific incident response types
- Malware
- Tampering with payment terminals
- Unauthorized wireless access points
- Loss of equipment
- Noncompliance with security policies
- Testing and periodic updates for IR plan
Get .DOC file (requires registration)
5. California Government Department of Technology Incident Response Plan
Created by: California Government Department of Technology
Pages: 4
Contents: 17-step incident response procedure, referencing more detailed plans for specific incident types such as malware, system failure, active intrusion attempt.
6. I-Sight Incident Response Template
Created by: I-Sight
Pages: 6
Main sections:
- Purpose
- Scope
- Definitions and examples of incidents
- Roles & responsibilities
- Incident response stages and proceures
Get .DOC file (requires registration)
The Importance of Automated Incident Response
Incident response templates and procedures are crucial, but they are not enough. In most organizations there is a critical shortage of security staff. It is impossible to review all alerts, not to mention investigate and respond to all security incidents. Statistics show that the average time to identify and remediate a breach is over 100 days.
To help address this problem, the security industry is developing tools to perform automated incident response. An automated tool can detect a security condition, and automatically execute an incident response playbook that can contain and mitigate the incident. For example, upon detecting traffic from the network to an unknown external IP, an incident playbook runs, adding a security rule to the firewall and blocking the traffic until further investigation.
By supplementing manual incident response with automated playbooks, organizations can reduce the burden on security teams, and respond to many more security incidents, faster and more effectively.
Automated Incident Response with Cynet
Cynet provides a holistic solution for cybersecurity, including Cynet Response Orchestration, which can automate your incident response. You define automated incident response playbooks, with pre-built remediation procedures for multiple attack scenarios. When an attack scenario occurs, the relevant playbook is automatically executed. Only if there is no matching playbook, the incident is pushed to the security team for a manual response.
Cynet Response Orchestration can address any threat that involves infected endpoints, malicious processes or files, attacker-controlled network traffic, or compromised user accounts.
Learn more about Cynet Response Orchestration.
