What Should An Incident Response Plan Contain?

What Should An Incident Response Plan Contain?

The threat landscape businesses are facing worldwide has never been as diverse or as harmful. An organization-wide incident response plan is needed to swiftly detect possible IoCs (Indicators of compromise) and take effective remediation. But what is an IR plan? And, what should an IR plan contain?

An IR plan is a formalized, step-by-step process used to help security staff detect, respond, and recover from incidents. It’s also an educational and training tool for company-wide awareness and to ensure minimal disruption during an incident. Despite the word “response” an IR plan is as much a proactive course of action as it is a remedial one.

If you don’t currently have an IR plan in place, it’s useful to consider implementing it in a number of steps. This will ensure smooth integration throughout your organization and allow your CSO to adjust the plan according to your security needs.

Requirements for Establishing an IR Plan

Not every organization or business has the same risk profile when it comes to cyber threats. For effective incident management, it needs to be tailored towards addressing particular vulnerabilities in your systems.

A thorough incident response readiness assessment of your organization will need to be carried out by your CSO or a security audit team. Among others, this will include:

  • Identifying your organization/network’s most critical components/assets
  • Identifying potential single points of failure within your infrastructure
  • Establish a dedicated incident response team
  • Setup a business continuity plan – including redundancy for communication, network access, and work resources
  • Required tools, technologies, funding, and other resources

Also, check the literature from government watchdogs. For example, the NIST incident response plan is extremely detailed and covers the entire process.

Step 1: Preparation

Prevention is better than cure. The preparation phase of your IR plan is thus one of the, if not the, most crucial. During this phase, you will attempt to decrease the chance of a breach occurring as well as to assess your readiness should an incident occur.

  • Secure funding and resources in the form of money, time devoted to IR training/preparation, etc.
  • Educate employees and stakeholders about personal security etiquette as well as the proper channels to report possible IoCs.
  • Ensure all employees and stakeholders are properly informed regarding their roles and responsibilities during an incident.
  • Disseminate a well-documented IR response plan that describes the vulnerabilities, threat landscape, standard practices/policies, individual roles, and IR procedures.

Your plan must then be tested to ensure it can be carried out. This may include drills or simulated threats, such as the Phish Scale technique for email phishing training.

Step 2: Incident Detection

Research suggests this is the phase where most businesses struggle to implement their IR plan. Breaches often go unnoticed for months, if not years. The shorter the time between the breach and its detection, the greater the potential for damage mitigation.

Incident detection usually follows a number of steps:

  • Identify anomalies in system behavior
  • Determine whether anomalies are true threats or false positives
  • Document the threat
  • Prioritize the threat/incident according to concurrent threats
  • Notify all relevant stakeholders, commence the IR process

Step 3: Containment

Once identified, not all threats can immediately be eliminated, depending on how thoroughly it has spread throughout the network. In this case, containment should be the first course of action. This usually involves quarantining infected components and isolating them from healthy assets.

Not only is this a quicker and more airtight method of preventing further harm, but it also preserves the trail of evidence. This is important for possible damage recovery as well as improving your current IR procedures.


LIFARS offers a number of incident-response retainer solutions for businesses and organizations. Rest assured that any incidents will be dealt with a high priority and according to strict SLA-backed standards.


Part of this process should be to alert all affected individuals. Re-authenticating users, using failover systems, and exercising increased caution will help to contain the infection.

Step 4: Eradication

Once an incident has been contained, the IR team can take its time in identifying the root cause. This process needs to be carried out cautiously because attacks might use advanced obfuscating techniques. For example, fileless attacks that leave behind less obvious artifacts can easily slip by commonly used cleanup techniques. Other removal techniques may result in further loss of data.

That being said, the attack might still be causing damage over time. This requires prioritizing infected assets according to severity, potential losses, etc. to take action in the best interests of the business.

Step 5: Recovery

Once the IR team is confident that an affected component is clear of infection, it can be reintroduced to the system. Similarly, employees can also be reintroduced from failover systems to the main business channels. While returning to normal business operations ASAP is the ultimate goal, caution should be exercised. A single oversight could force you to redo the entire process.

Step 6: Post Mortem – Lessons Learnt

An IR plan should not be written in stone. In fact, there might be significant shortcomings during the first incidents. In the ever-changing landscape of threats, malicious cyberattacks, and newly emerging vulnerabilities, not every eventuality can be foreseen.

After an incident, not only the attack vector but also the overall response should be dissected by the IR personnel. A number of questions should be answered, for example:

  • Do adjustments need to be made to previously identify critical components/points of failure?
  • Was employee training effective/relevant?
  • Were the correct procedures followed? If not, does the fault lie with the procedures or awareness?
  • How can a similar incident be better prepared for and addressed in the future?

In Conclusion

A comprehensive IR plan will not only allow you to effectively tackle immediate threats but also to continue improving your response to malicious attacks. Now that you know what an IR plan should contain, you can lay the groundwork today for a safer and more profitable future for your organization.



NIST incident response plan