See Cynet’s Autonomous
Breach Protection in Action

Prefer a one-on-one demo? Click here

By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners

Incident Response

The Cynet 360 platform is the world’s fastest IR tool and includes automated attack detection and remediation

Learn More

Incident Response Plan: Roles, Process, Templates and Examples

What is an Incident Response Plan?

Incident response is an organizational process that allows an organization to respond to cyberattacks. The incident response process includes identifying an attack, understanding its severity and prioritizing it, investigating and mitigating the attack, restoring operations, and taking action to ensure it won’t recur.

An incident response plan (IRP) is a set of documented procedures detailing the steps that should be taken in each phase of incident response. It should include guidelines for roles and responsibilities, communication plans, and standardized response protocols.

In this article, you will learn:

Objectives of Incident Response

A successful incident response plan aims to identify attacks and deal with them as effectively and as early as possible. The objective of an incident response plan is to bring the following to a minimum:

  • The number of systems and users affected by a breach
  • The dwell time of attackers in the corporate network
  • The damage inflicted to the organization
  • The time required to restore normal operations
  • The cost of mitigation and clean-up efforts
  • Liability and damage caused to third parties such as customers

7 Reasons You Must Put Together an Incident Response Plan

A strong incident response process can dramatically reduce the damage caused to an organization when disaster strikes. An incident response plan helps codify and distribute the incident response plan across the organization.

It’s not just about having a good plan—it’s about all relevant stakeholders knowing and agreeing to the plan, and being ready to coordinate efforts around that plan when an attack occurs. These stakeholders typically include security teams, operations, legal, and executive management, but may include others such as development teams, PR, partners and customers.

Here are the main reasons you must have a strong incident response plan in place:

  • Prepares you for emergency—security incidents happen without warning, so it’s essential to prepare a process ahead of time
  • Repeatable process—without an incident response plan, teams cannot respond in a repeatable manner or prioritize their time
  • Coordination—in large organizations, it can be hard to keep everyone in the loop during a crisis—an incident response can help achieve this
  • Exposes gaps—in mid-sized organizations with limited staff or limited technical maturity, an incident response plan exposes obvious gaps in the security process or tooling, which can be addressed before a crisis occurs
  • Preserves critical knowledge—an incident response plan ensures critical knowledge and best practices for dealing with a crisis are not forgotten over time, and lessons learned are incrementally added
  • Practice makes perfect—an incident response plan creates a clear, repeatable processes that is followed in every incident, improving coordination and effectiveness of response over time
  • Documentation and accountability—an incident response plan with clear documentation reduces an organization’s liability—it allows you to demonstrate to compliance auditors or authorities what was done to prevent the breach

Key Roles in an Incident Response Team

To execute an incident response plan, you need an incident response team. The following are essential roles within the team—in a large organization the roles may be carried out by full-time employees or entire teams; in smaller organizations, they can be filled by employees with other duties who have a part-time responsibility for incident response.

  • Incident response managers—have at least two members of staff responsible for approving the incident response plan and coordinating activity when an incident occurs.
  • Security analysts—review alerts, identify possible incidents and perform an initial investigation to understand the scope of an attack.
  • Threat researchers—responsible for providing contextual information around a threat, using information from the web, threat intelligence feeds, data from security tools, etc.
  • Other stakeholders—these can include senior management or board members, HR, PR, and senior security staff such as the Chief Information Security Office (CISO)
  • Third parties—such as lawyers, outsourced security services, or law enforcement agencies.

The Incident Response Process: SANS vs. NIST

When creating your incident response plan, it is useful to follow existing incident response frameworks from leading research institutions. There are two commonly used frameworks:

  • SANS Incident Response Framework – SANS is the world’s largest provider of security training and certification, and operates an early warning system for global cyber threats. SANS released an incident response handbook, which provides a structured six-step process for incident response, from preparation before an incident, through lessons learned from an incident. 
  • NIST Incident Response Framework – the National Institute of Standards and Technology is an agency operated by the USA Department of Commerce that provides standards and recommendations for multiple industries. NIST provides a four-step incident response process which emphasizes that incident response should be cyclical, with continuing learning and improvement to enhance defenses over time.

The table below summarizes the incident response steps recommended by each framework.

SANS Incident Response StepsNIST Incident Response Steps
1. Preparation

Create a security policy, perform a risk assessment, identify sensitive assets, and build the incident response team.

1. Preparation

Compile a list of IT assets, identifying critical assets, set up monitoring, define types of security events, and create incident response steps for each type.

2. Identification

Monitor IT systems, detect anomalies, identify actual security incidents and investigate them to establish type and severity.

2. Detection and Analysis

Collect data from IT systems, security tools, and external sources, identify precursors (signs of impending incidents) and indicators (signs of an actual attack), and analyze them to identify incidents.

3. Containment

Perform short-term containment to prevent the threat from spreading, then perform long-term containment, including temporary fixes and rebuilding clean systems.

3. Containment, Eradication, and Recovery

The containment strategy depends on the level of damage, the need for continuous access to affected systems, and the time needed to implement a solution. 

After the incident is contained, remove all threat elements from the environment, restore systems and recover normal operations, while ensuring the same assets are not attacked again.

4. Eradication

Clean malware, identify root cause of the attack, and take action to prevent similar attacks in the future.

5. Recovery

Bring production systems back online, taking measures to prevent additional attacks. Test, verify and monitor systems as they recover.

6. Lessons learned

No later than two weeks from the end of the incident, perform a retrospective, prepare complete documentation, evaluate containment efforts and see if anything in the process should be improved.

4. Post-Incident Activity

Learn from previous incidents to improve the incident response process. Use your findings to adjust incident response policies, plans, and procedures, and feed the preparation stage for future incidents.

Learn more about each incident response framework in our detailed guides:

Incident Response Plan Templates

One more thing that can save you time as you prepare an incident response plan is to use ready-made templates shared by other organizations. You can adapt these templates to your specific needs.

The following templates can help you get a head start on your incident response plan:

  • Cynet Incident Response Plan Template – includes team responsibilities, testing, process overview, and checklist. Download .DOC file
  • IltaNet Incident Response Plan – includes team responsibilities, incident notifications, types of incidents and classification procedure, and definition of breach. Download .ASHX file
  • Thycotic Incident Response Template – includes roles, responsibility and contacts, threat classification, incident response phases and actions in each phase. Get .DOC file
  • Sysnet Security Incident Response Plan Template – includes roles and responsibilities, external contacts, incident response steps, and types of incidents. Get .DOC file*
  • California Government Department of Technology Incident Response Plan – includes 17-step incident response procedure, with more detailed plans for specific incident types. Download .DOC file
  • I-Sight Incident Response Template – includes incident definitions and examples, roles and responsibilities, incident response stages and procedures. Get .DOC file*

(*) Website requires registration

Learn more in our detailed guide to incident response plan templates

Incident Response Plan Examples

When building an incident response plan, it is useful to see examples of real plans created by other organizations which have been fine-tuned over time based on their experience. See the following examples of incident response plans by leading organizations:

OrganizationExample Plan IncludesLink to Example
U.S. Department of Homeland SecurityRoles and responsibilities, core incident response capabilities, coordinating structures
Carnegie Mellon UniversityDefinitions of incidents, roles and responsibilities, incident response phases, insider threat guidelines
University at BuffaloIncident response contact information, incident classification and impact, reporting and notifications
Write State UniversityIncident response steps, security tools, checklist upon detection of intrusion
University of Oklahoma Health Sciences CenterPCI DSS incident response plan including roles and responsibilities, incident response phases, detailed workflow diagram

Best Practices for Building an Incident Response Plan

Create a simple, well-defined process

An incident response plan, even if it is very well thought out, must be simple and crystal clear to be effective. Keep details, procedures and explanations to a minimum, to ensure that staff can very easily follow the plan in the urgency and confusion of a real security incident.

Create a communication strategy

Clarify who needs to be informed of a security breach, which communication channels should be used and what level of detail should be provided. There should be clear guidelines on how to inform operations, senior management, affected parties inside and outside the organization, law enforcement, and the press. This is a commonly overlooked part of the incident response process.

Use an incident response plan template

Don’t reinvent the wheel. Always start your incident response plan from a template created by others in the industry, and adapt it to your specific needs. For example, you can start from this template provided by TechTarget which includes incident scope, planning scenarios, logical sequence of events for incident response, team roles, notification and escalation procedures.

Put your incident response plan to the test

Conduct realistic drills and exercises to see how the incident response plan is carried out in practice, and be ready to adapt the plan according to lessons learned. Test your tools to ensure they are able to detect an attack as early as possible in the kill chain, and ensure the team can identify a threat and contain it before sensitive data leaves your network.

Use a centralized approach

Organizations should not be logging into multiple tools and correlating information between them during the urgency of an attack. Processes and tooling should support a centralized incident response process where an analyst can view all the information about an incident in one place.

Put incident response technology in place

Incident response tools\technology provides you with the means to eradicate discovered malicious presence and activity from your environment as well as optimize response workflows by automating repetitive tasks. They can:

  • Provide a complete picture of an attack operation, correlating data from endpoints, user behavior and network communications
  • Enable remote manual response by security analysts, such as blocking users, killing processes, restarting hosts, deleting files or changing password.
  • Enable automated response, for example automated quarantine of an endpoint when malware is discovered, or automatically stopping a malicious process that encrypts or deletes large numbers of files.

Cynet 360: an automated incident response system that puts you in control

Cynet 360 is an integrated security platform that can provide all of the above across endpoints, files, users and networks. It gives security teams full context about security incidents, helping them understand what is happening and take effective action, without needing to consult multiple tools.

Cynet also helps you take remote manual action to contain security incidents, including stopping malicious processes, deleting files, resetting passwords and restarting affected devices. It can also perform automatic containment actions such as stopping rapid encryption of files or automatically isolating endpoints infected by malware from the network.

Learn more about Cynet 360.

Cynet’s 24/7 Incident Response Team

Cynet provides an outsourced incident response team that can provide anyone, from small to medium and large organizations, with professional security staff who can execute a fast, effective incident response process.

Our team can deploy the Cynet security platform in a matter of minutes across hundreds to thousands of endpoints. They can then scan, analyse, identify and remediate threats before damage is done. The Cynet incident response team can help with:

  • 24/7 incident response—including identification, containment, eradication and recovery
  • Deep forensic investigations – collecting data to identify the scope of an attack and who is responsible
  • Threat hunting—exploring security data to proactively discover advanced threats
  • Malware analysis—analyzing malware in a sandbox to determine its characteristics and how to remediate it

Contact us for immediate help

For emergency assistance from our security experts, call us at US 1-(347)-474-0048, International +44-203-290-9051, or complete the form below.

Contact Us for Immediate Help

For emergency assistance from our security experts, call us at US 1-(347)-474-0048, International +44-203-290-9051, or complete the form. We will respond shortly