3 Guideposts for Building a Better Incident-Response Plan | Threatpost

The COVID-19 pandemic has highlighted the pressing need for security organizations to implement a structured, detailed and well-practiced incident-response plan. While the walls of organizations have extended from corporate offices to employee living rooms, security-control effectiveness has attenuated over a workforce of home networks and unmanaged assets.

To add insult to injury, ransomware operators have opportunistically jumped into action to capitalize on this expanded organizational footprint. A concert of increased threat activity and reduced visibility makes it vital for organizations to invest the time in developing an effective incident-response plan to reduce business impact in the event their organization experiences significant compromise.

To that end, let’s discuss the key building blocks to building and testing an effective incident-response plan.

Key Building Blocks for Effective Incident Response

The main goal of an incident-response plan is to minimize business and operational impacts from a security incident, of course. While of critical importance to an overall security program, IR plans extend beyond developing effective security monitoring to keep threats at bay, like increasing security operations center (SOC) automation and alert management, and they assume a post-compromise state to describe how an organization responds holistically when a malicious threat actor is cohabiting a network environment.

Security controls are essential components to a meaningful defense strategy, but are not substitutes for investing in an IR plan to address a significant cyber-event. Overall, the planning process gives organizations the space to assess their program, build relationships with third-party vendors, and establish their response before a potential breach to maximize decision quality instead of settling for decision speed.

1: Assessing Your Program

One of the core elements to building a quality incident-response plan is candor. It requires objectively evaluating time-sensitive use cases that arise from a security incident and determining if your current bench is up to the task. Key questions to ask include:

It’s important to note that being great at incident management doesn’t mean doing it all yourself. Asking the hard questions guides organizations to building the right internal or external relationships, skills and processes to be fully equipped for an unwanted guest.

2: Building Bridges to Partners for Better Outcomes

Evaluating core use cases during a response event will guide the planning process to the next phase; Relationships.

Managed security services and incident-response partners can help bolster gaps identified on your security bench, but incident management extends beyond information security to incorporate legal counsel and even the executive team.

Many organizations struggle with timing when it comes to internal and external communications during an incident. Fostering a collaboration between information security and corporate legal partners will help organizations diminish escalation uncertainty for a higher quality response. Remember, incident-response plans are not just about the bits-and-bytes, but about minimizing overall company risk which includes defining messaging, law-enforcement escalation and abiding by industry disclosure requirements.

It also helps if companies have key contacts for emergencies, an escalation criteria that determines the severity or priority of an incident, a way to track the entire process and at least one conference number that is always available when needed.

3: Testing the Process

If the three “Ls” of real estate are “location, location, location,” the three “Ps” of incident-response plans are “practice, practice, practice.” Incident-response plans require executive sponsorship, legal counsel coordination and information-security response for effective execution.

The best plans are the ones that are regularly tested through tabletop exercises with all stakeholders participating with regular updates based on exercise findings, threat landscape changes, and NIST and MITRE ATT&CK guidelines. The highest-quality decisions around incidents are always made before being in the heat of battle.

The Bottom Line: Be Invested

A good incident-response plan requires all stakeholders to be invested, and to have consistent practice, and will ultimately make it easier for organizations to minimize business impact. High-quality decisions detailed in your response plan lead to reduced incident costs, as the consequent losses of cyberattacks or non-compliance are much higher than investing in the right program, relationships and processes ahead of time.

Grant Oviatt is director of incident-response engagements at Red Canary.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.


Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus.

Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at [email protected].