Phases of an Incident Response Plan

As per the Ponemon study in 2018, there is an increase of 6.4% of the global average cost of a data breach in comparison to the previous year. The study evidently depicts the need for an incident response plan (IRP) [1].

An IRP is mainly responsible for outlining the procedure to be followed, after the occurrence of a security breach, apart from other cyber threats. Without an IRP, the process of managing the damage of a security breach becomes cumbersome and confusing. This leads to an unnecessary waste of time and money. With the presence of rapidly spreading malware, as we witnessed in the case of WannaCry, the infection can easily cross international borders in no time.

Drafting a response plan after the occurrence of a security breach might appear to be a time-consuming approach. However, an efficient IRP will lead you through the whole incident and will help you approach the concerned person with an appropriate operation to resume the victimized entity as quickly as possible. An IRP is crafted as per each company’s specific requirements, keeping its circumstances in mind. In short, one company’s IRP differs from the other.

What’s an Incident Response Plan in Actual Terms?

An IRP can be defined as a set of instructions to offer a structured approach to detect, resolve, and restore the damage occurred after a cybersecurity breach (usually, referred as a security incident). An IR plan identifies and specifies the roles and responsibilities of the IR team at the time of the cyberattack. An IR team is more commonly known as the Computer Security Incident Response Team. The team ensures that the breach can be counteracted as per the plan in the least possible time and with more efficiency to keep the damage and cost of recovery minimal.

These types of plans are highly useful in dealing with daily work threats which include cybercrimes, data loss, and denial of services.

Phases to Build a Robust Incident Response Plan

Even though each business follows a different IRP, all IRPs possess the same fundamental components as they go through the same six-phase process. Each of these phases deals with a few specific areas of requirements, which must be fulfilled to create an effective IR plan for your organization.

Phase I—Preparation

Comprehensive preparation is the key to the very first response of the IR team toward any cyberattack. This phase is all about setting up appropriate procedures with the right tools before the occurrence of an incident. The major steps of this phase are as follows:

  • identification of the most important assets and protecting them with all your efforts, and
  • analysis of data collected from earlier incidents

To handle incidents, it would be convenient for you to keep a few major tools and resources in your arsenal. It is important that you have a wide range of weaponry available. For an instance, your organization should have multiple distinct communication and coordination mechanisms available if one of your mechanisms fails.

Major tools, software, and resources needed to stay prepared for an incident

S. no. Type of tools or resources Example of tool or resource Use of the mentioned tool or resource
1 Incident handler communications and facilities Contact information system The contact information of all the professionals involved (from law enforcement team to concerned in-house personnel). This resource must include phone numbers, email addresses, individual encryption key, and instructions to verify an individual’s identity
Issue tracking system For tracking the progress and status of the incident
Encryption software It will be responsible for secure line communication amongst the members of the IR team
Secure storage facility For securing evidence and other sensitive data
2 Incident analysis hardware and software Digital forensic workstations It consists of removable hard drives to store evidence and assists incident handlers to acquire and analyze data
Blank removable media and spare workstations, servers, networking equipment, and laptops It will be used for different purposes, from restoring a backup (spare workstations) to analyzing data (laptops)
Digital forensic software It will be responsible for the analysis of disk images
Accessories for gathering evidence This will include digital cameras, audio recorders, and anything which can be used to preserve evidence for the longest period
3 Incident analysis resources Documentation with current baselines Document every technical detail including operating systems, applications, protocols, and intrusion detection and antivirus products. The baseline will consist of an expected network, system, and application activity
Cryptographic hashes Maintaining records of critical hashes helps in expediting the incident analysis, verification, and eradication
Port lists This resource will have all the commonly used ports and Trojan horse ports
4 Incident mitigation software Image access This will clearly cover clean OS and application installations, which are meant for restoration and recovery purposes

After this, start with the creation of security policies for required domains. These domains can range from general information security, network security, server security, application security, to several others. Once all your policy standards are defined, build a strategy to handle incidents. While strategizing, prioritize incidents, define roles and responsibilities, remediate incidents, and specify tools to be used for managing different incident responses, documentation of incidents, and both internal and external communications.

The last step of this phase will be to fine-tune your IR team with simulation exercises. Regular but different simulation exercises help the team to stay aware of the vastness of their roles and responsibilities.

Note: Manage active audit logs for all server network aspects and components to keep your predeployed incident handling assets in check.

A secondary aspect of this phase is prevention from incidents by ensuring the security of your systems, networks, and applications. An IR plan should have the capability to keep the number of incidents significantly low. This is what makes an IRP successful. Though these responsibilities don’t fall under an incident response team, this step will definitely fill in the required gaps of security. The most recommendable practices for preventing incidents include network security, host security, malware prevention, and risk assessment. Even training and making users aware of the policies and procedures for the appropriate use of networks and systems fall under incident prevention.

Phase II—Identification

The second phase starts with the identification of the actual incident. You can start by answering, Is this an unusual behavior? Once you figure out the type of the incident, take a look at the affected areas of the network or the system. You will be looking for suspicious activities, unexpected new files, unusual login attempts, unanticipated user logins or user accounts, and so on. Thoroughly assess the situation as it simplifies the later stages. You can assess the situation by keeping a few basic questions in mind.

  • When did the attack happen?
  • Which ones are the affected areas?
  • What is the scope of the event?
  • What is its effect on the usual functionalities?
  • What is the source of the incident?

Elaborated documentation of your assessment not only helps in resolving the current situation, but it can also be kept for future references. After the assessment of the situation, it’s time to assess the type of incident you are facing. Usually, an incident falls under six classifications:

  1. Unauthorized access
  2. Denial of services
  3. Malicious code
  4. Improper usage
  5. Scans/Probes/Attempted access
  6. Investigation incident

Incident identification makes the whole process easier. For many organizations, this turns out to be a challenging part for three major reasons:

  • Detection of incidents through different means with different levels of detail. This could fall under automated or manual detection. Automated detection possesses capabilities like network- and host-based IDPSs, antivirus software, and log analyzers. But in case of manual detection (mainly reported by users as problems), it can or can’t be detected.
  • A high volume of potential signs of incidents. For example, a large-scale organization receives thousands or even millions of intrusion detection sensor alerts on an everyday basis.
  • Need for specialized technical knowledge and extensive experience for the accurate and efficient analysis of incident-related data.

The signs of an incident can either belong to precursors or indicators. Precursor sign indicates that the incident has the possibility to occur in the future, while an indicator shows that an incident may have occurred or may be occurring now.

A few of the common sources of precursors and indicators are IDPS, antivirus and antispam software, file integrity checking software, third-party monitoring devices, operating system and service/application logs, network device logs, information on new vulnerabilities and exploits, and people from within and outside the organization.

Phase III—Containment

Having gathered all the necessary information about the incident, the IR team should now be concentrating on the containment of the threat for preventing any further damage. The first step of this phase should be to isolate the infected machine from the network and to back up all the sensitive data of the infected system.

After this, you can go for a temporary fix to ensure that the incident won’t escalate its damage, anymore. The primary goal of this phase is to minimize the scope and magnitude of the incident. Make sure you gage the functional status of your infected system or network. To determine this, you can opt for any of the listed options:

Option 1—Disconnect the infected entity and let it continue with its standalone operations

Option 2—Shut down the whole system immediately

Option 3—Let the system operate as usual and keep monitoring its activities

All these are the feasible solutions that you can opt for to contain the issue at hand.

After establishing an effective containment strategy, it’s time to pay attention to evidence gathering and handling which doesn’t come into the picture very often. For an instance, in many organizations, most of the malware incidents don’t qualify for evidence gathering and handling. The benefits of evidence gathering are not limited to resolving an incident, but it also helps in case of legal proceedings. Maintain an elaborate document containing the procedures for preservation of all the shreds of evidence including infected systems. The transfer of evidence from one party to another should always be accounted for future use. The detailed log for evidence should contain:

  • Evidence identifying information—serial number, model number, hostname, MAC and IP addresses, and location
  • Evidence holder’s Information—name, title, and phone number
  • Location, time, and date with time zone for each occurrence of evidence handling

Phase IV—Eradication

In this fourth phase, the IR team should be working toward a permanent solution with the inclusion of a process responsible for restoring all the affected entities.

Eradication is a simple process of eliminating the threat out of your infected network or system. This phase should only start when all the other internal and external actions are completed. The two important aspects of this phase are as follows:

  1. Cleanup—The process of cleanup should include running a powerful antimalware and antivirus software, uninstalling of the infected software, rebooting or replacing the entire operating system and hardware (based on the scope of the incident), and rebuilding the network.
  2. Notification—Notify all the personnel involved, according to the reporting chain.

It is advisable to create multiple common incident “play books” that can help the IR team to take a consistent approach for the incident.

Phase V—Recovery

At this stage, the compromised system or the network will be brought back to life. From the data recovery to any remaining restoration process, this phase covers it all. It takes place in two steps:

  1. Service restoration—as per the corporate contingency plans
  2. System/Network validation—testing and verifying the system/network in a functional state

This phase makes sure that the infected entity will be recertified as both secure and functional.

Phase VI—Lessons Learned

After the completion of the investigation, maintain detailed documentation of the complete incident. This last stage will keep your organization prepared for any future attacks and help you to gain value from incidents. It would be best for the IR team to arrange a review meeting after the successful handling of an incident. In this “lessons learned” meeting, pay closer attention to identification of necessary improvements for the existing security controls and practices. The practice of such periodical meetings can actually limit incidents. Ensure that this review meeting helps you in identifying existing security weaknesses and deficiencies in policies and procedures. As per the conclusions of this meeting, you can change your current IR plan. With this step, your IR team will evolve to reflect new threats and improved technology. This detailed document can also be used to train new members of the team. And, as the last step of this phase, create a follow-up report after each incident for future use.

Another advisable practice for IR team would be to create an awareness message for the top management as well as for all staff on what had happened (in case of Incident) and what lessons were learned by the IR team. The message can include end user if that incident impacts the end user, too.

Other Crucial Elements to Keep in Mind

To ensure that your IRP is up to date and still effective, it’s important to follow the best practices. The provided elements will help you to do so.

1. Consistent Testing

An effective IRP should be put to test before you practically activate it. The proactive work on your IR plan will help you to find loopholes in it and you can always improvise as per your findings.

For this, you can regularly arrange for real-time simulation exercises.

      2. Flexibility with Minute Details

Keep your IR plan flexible so that the same plan can be applied to different types of cyberattacks. On the other hand, its detailed nature will help you in organizing and recovering the whole process systematically in the least time possible.

Do You Want a Detailed Understanding of the Incident Response Plan?

EC-Council offers a Certified Incident Handler (E|CIH) program which is designed in collaboration with the intelligent minds of the cybersecurity industry, and especially the incident handling and response experts around the globe. It is developed after the rigorous industry-wide job task analysis (JTA). The comprehensive JTA makes the E|CIH program capable of handling all the possible combinations of task, knowledge, skill, and ability, which makes you the best fit for scoring better opportunities.

The program covers all the phases in detail including the financial and reputational impact on the organization. This program provides you with the hands-on lab experience with the availability of 50 labs and 800 tools on 4 major platforms. With this E|CIH program, you will be exposed to the widest range of security incidents.

After considering the cutthroat competition in the market, the program is mapped to NICE and CREST frameworks, which makes your E|CIH credential in accordance with your professional credibility.


  1. https://www.ibm.com/security/data-breach
Editor's Note:
Reviewed by Don Cox, Chief Information Security Officer at MEDNAX and Abbas Kudrati, Chief Cyber Security Officer at Microsoft
get certified from ec-council
Write for Us