What is an Incident Response Plan Getting Started | Palo Alto Networks

4 min. read

What Is an Incident Response Plan (IRP)?

A cybersecurity incident is a violation or attempted violation of the security of an information system or the principles of data confidentiality. In other words, it is an event that compromises the confidentiality, integrity, or availability of systems or data. In the event of a cybersecurity incident, including cyberattacks, data leaks, and system failures, it is essential to have a plan in place to respond quickly and effectively. An IRP is a document outlining the critical processes, roles, responsibilities, and escalation steps to limit a security incident's scope and impact. 

Security incidents result in financial, productivity, reputational, and business impacts. 

A strong IRP is tailored to the organization’s risk assessment, security operations, and recovery processes, and is distributed and communicated to the personnel who are responsible for conducting the activities defined in the document.

Why Is Having an Incident Response Plan Important? 

Due to an ever-expanding universe of threats, increased cloud presence and asset sprawl, organizations are increasingly at risk of experiencing a situation that requires the activation of incident response and recovery processes. Zero-day vulnerabilities have increased year over year; cyberthreats are becoming more sophisticated; and complex cloud platforms have evolved to give rise to new challenges, such as the proliferation of threat intelligence, increased attack surface, network and data exposures, and insecure configurations.

Thankfully, more and more companies are realizing how a cybersecurity incident response plan helps to capitalize on threat and breach detection and mobilize a rapid response. Having an IRP in place ensures that the whole organization is aligned in terms of how to respond to and recover from cyberattacks. It identifies an incident response leader or commander to direct response activities, ensures that all important topics are addressed, and allows process owners to rapidly identify appropriate courses of action. With a proper plan and assigned incident response team, the staff is aware of who makes decisions and how to prioritize their actions.

An IRP may be required to achieve compliance with specific security frameworks, such as the National Institute of Standards and Technology Special Publication 800-53 Rev. 5 (NIST SP 800-53 Rev. 5), NIST Cybersecurity Framework (NIST CSF), NIST 800-61 Rev. 2, or the Center for Internet Security 18 Critical Security Controls (CIS 18 CSCs).

An IRP may also be recommended to specify procedures for achieving data breach notification requirements, a process that – depending on the reporting organization and the data exposed – may be required pursuant to federal, state, and regional law. Additionally, an incident response plan may be required for cyber liability insurance, particularly when the organization collects, processes, stores, maintains, or transfers sensitive data.

Finally, an IRP may be required to meet business objectives for the restoration of normal business operations and to safeguard an organization’s financial, operational, and reputational interests during an attack. A rapid and effective response, as well as supporting playbooks for specific scenarios, can lower costs, minimize disruption and damage, mitigate harm to an organization’s reputation, and restore normal operations as quickly as possible after a security incident, malware attack or data breach.

Organizational stakeholders, such as boards of directors (BoDs), executives, managers, shareholders, partners, vendors and consumers may expect an organization to have, at minimum, a documented IRP and, at maximum, an IRP meeting all relevant security and privacy guidelines on which the organization is routinely trained and tested.

How Does an Incident Response Plan Help Improve Security? 

In the event of a cyber incident or data breach, time is of the essence. The sooner you can contain the damage and identify the cause, the better. That's where an incident response plan comes in. By having a clear and well-documented plan for how to handle an information security incident, you can help ensure that your team is prepared to take quick and effective action.

When devised and implemented properly, a cybersecurity incident response plan can also provide structure to preventing future attacks by identifying weaknesses and gathering valuable threat intelligence. Through the Lessons Learned stage of incident response planning, organizations complete sessions dedicated to listening to and addressing feedback and initiating positive changes to the overall plan framework and execution. 

How to Get Started: What Should an Incident Response Plan Include? 

Being prepared for a security incident is half the battle. Having an IRP will help ensure that you can respond quickly and effectively if an incident does occur. An incident response plan should lay out clear instructions for actions to take in case of a cyber incident. It should be in alignment with the NIST Incident Response Lifecycle, and include a clear and concise description of the appropriate incident response steps, given the incident type and severity. Here are the key components of an incident response plan: 

  1. Define the purpose and scope of your incident response plan. Identify the goal of the plan, which personnel and organizational systems are addressed by the plan, and the objectives you are hoping to achieve. Addressing these items will help you create a plan that is tailored to your organization's specific cybersecurity needs. 

  2. Identify document review and maintenance requirements. Define the document review and maintenance process for the IRP by indicating the roles that are specifically responsible for maintaining and approving the document as well as the frequency that this process is performed. (Note: It is recommended that the IRP is reviewed, updated and approved annually at a minimum, whenever there are significant changes to the environment, or after a simulated or actual execution of the IRP). Also, specify that lessons learned from simulated or actual exercises of the IRP are evaluated and assessed to suggest improvements to the document after each exercise.

  3. Identify cybersecurity incident response team (CSIRT) members. The CSIRT is composed of the core incident response team members who will respond to security threats. Include a list of roles and responsibilities, along with the contact information for those fulfilling those roles and responsibilities, in the body or appendix of the document. Designate who will be the incident response lead (IRL) and who will form the core response team. This core incident response team should include individuals from different departments routinely dealing with cybersecurity matters, such as security operations, security management, legal, and privacy. Additionally, the organization should identify an extension team that is brought in when necessary, such as teams for human resources, marketing, physical security, law enforcement liaisons, and any other teams that are necessary to respond to the incident.

  4. Pinpoint when the plan will be activated, ideally using risk classification. In alignment with enterprise risk management processes, the organization should document a risk classification matrix based on both the severity and urgency of a security incident and identify the risk classification levels at which the IRP must be activated. Additionally, the organization can identify specific types of incidents that indicate immediately that the IRP must be activated (such as ransomware, malware, denial of service, customer data breach, critical insider threat, etc.).

  5. Outline and describe the incident response process. To ensure the IRP is in an easily consumable format, develop a diagrammed workflow for the incident response process that includes preparation (how the IRP and teams are prepared and trained for an incident), incident handling systems (such as event investigation and incident ticketing systems), detection and analysis (how an event is identified and evaluated for escalation to an incident), containment, mitigation and eradication (how the impact of the incident is remediated and mitigated in the environment), recovery (how the organization will take steps to restore normal business operations, typically a reference to a Disaster Recovery Plan (DRP) or system runbooks), deactivation of the IRP, and post-incident activity (how the organization will document historical events, identify the root cause of incidents, learn from them and incorporate lessons learned). Procedures should be identified in the IRP for each of these process areas in the overall workflow.

  6. Define a communications plan. Define a communications plan in either the body or the appendix of the document. This plan is often provided in table format and should define the tools that will be used in an incident (such as a conference bridge, email, or messaging service), how team members should communicate with each other during an incident, specific communications that should be sent, the frequency with which they are sent, any time parameters under which they must be sent, the format in which they are sent, the owner/sender, and the audience/recipients. It is extremely important that expected IRL communications are outlined here so that the organization can achieve coordinated outcomes during uncertain and stressful situations.

  7. Establish IRP training and testing. Document the requirements for training personnel in the IRP and performing tabletop exercises or full simulations. It is recommended that personnel are trained and tested on the IRP annually at a minimum.

  8. Establish performance measuring and metrics. Define how the performance of the IRP is measured and the metrics used to measure performance. These may include standard metrics for detection and response, such as mean time to acknowledge (MTTA), mean time to detect (MTTD), mean time to contain (MTTC), mean time to recovery (MTTR), mean time between failures (MTBF), system availability, and service-level agreement (SLA) compliance. These may also include process metrics, such as the number of times the IRP is updated or tested annually.

  9. Define compliance and non-compliance. Identify how the organization will assess compliance with the IRP and what actions (if any, such as disciplinary action) shall be taken for non-compliance or certain types of non-compliance.

Note that IR planning is not a one-and-done process. The plan needs to be reviewed regularly to ensure it stands up to evolving cybersecurity threats.

 

 

Unit 42®: Minimize the Damage of a Cyber Incident

When a cyber incident happens, you need to ensure everyone knows their role and is prepared to take the right action to minimize the impact and initiate containment and remediation efforts. Our Unit 42 cybersecurity incident response experts utilize a proven methodology, industry best practices, effective workflows, and knowledge from the frontlines to help you develop or improve your IR plan

Additionally, with a Unit 42 retainer in place, our experts become an extension of your team on speed dial, anytime you need assistance. And if you don’t use all of your retainer hours on IR, you can use them toward any other Unit 42 cyber risk management services to help proactively improve your security posture.