Every organization must have an incidence response (IR) plan that will handle preparation, identifying the start of an incident, recovering from it, restoring normal operations and support sound security policies.

With any cybersecurity incident, security teams will face uncertainties and chaotic activities. In such a high-pressure environment the risk of not following proper incidence response procedures becomes high and limiting the damage becomes elusive.  It is essential that CISOs must institute a through incidence response plan that enables clear thinking and taking pre-planned steps that will define the loss and prevent business impacts from occurring.

What makes up a sound IR plan? There are several steps when putting together an actionable IR plan, at the high-level preparation, detection, investigation, containment, eradication, recovery, and monitoring are critical fundamentals in a program.

NIST 800-61 Incidence Response Life Cycle

Getting Prepared

CISOs should always prepare for the worst and understand what it will take to handle any incident situation.  One of the most important is having a robust security program in place and executive management commitment. The structure of the policy should contain at a minimum these essential elements:
  • Purpose and Objective
  • Scope
  • Organizational Structure
  • Incident Prioritization Based on Severity
  • Performance Metrics
  • Reporting and Communications
Also, ensure that an up-to-date corporate disaster recovery plan and a functioning security risk assessment process are in place. Training is vitally important and goes a long way to prepare properly. The IR teams should handle OS support, tool usage, specialized investigative techniques, and environmental procedures. Pre-deployment of IR assets should ensure specific tools are in place in the event of a system breach. These include sensors and probes that monitor critical systems and applications for all server network and components.


The next step in IR is detecting and identifying the actual incident. One of the first questions to answer if the event unusual or more? Once that answer has been established a detailed analysis of the affected systems is necessary. Examples include suspicious attempts to gain access into system or network, excessive login attempts, unexplained new user accounts, unexpected new files, modification or deletions, etc.

Once an incident is detected classifying and evaluating them fall under six categories:

  • Unauthorized Access
  • Denial of Services
  • Malicious Code
  • Improper Usage
  • Attempted Access, Scans/Probes
  • Investigation Incident


Determining what happened to your system, network or computer requires a systematic review that requires the following:
  • Network and device logs
  • System logs
  • Application logs
  • All other supporting data
  • Bit-stream copies of the drives
  • Real-time memory
Log analysis will typically address what data was accessed, how, and by whom. It is critical to keep well-written documentation of everything you do during the investigation stage, especially since external threats may require law enforcement involvement.


When the IR team knows what incident level they are dealing with, the next step is to contain it by limiting the scope and magnitude of the issue. The team must focus on two areas which are:
  1. Protecting critical systems and availability where possible.
  2. Determine the operational status of the computer, system or network.
Three options determine the operational status of the compromised system, computer and or network:
  1. Disconnection from the network and allow it to continue stand-alone operations.
  2. Immediately shut down everything.
  3. Allow the system to run on the network and monitor the activities.
All of these options are viable solutions to contain the issue at the beginning of the incident response and should be determined quickly to allow eradication.


Eradication is the process of eliminating the issue and only take place after all external and internal actions are completed. There are two crucial steps you should be aware. The first is clean up that consists of running your antivirus software, uninstalling the compromised software, rebuilding the operating system or replacing the hard drives and reconstructing the network.

Some things to consider in the eradication process:

  • Slow moving breaches that have been in the system for years are designed to evade detection. Determining the full scope of the impact and rectifying will take an undetermined amount of time. Remember that hackers will always come back conducting surveillance to discover and exploit unforeseen vulnerabilities.
  • Malware removal may be relatively easy but embedded in the system that complete removal is a major technological challenge. It can also mean re-construction.
  • Ransomware is when a hacker damages a system until a ransom is paid and depends on the incident. For instance, if a laptop or other mobile device is infected, it would be removed from the system and re-imaged offline. If it is a more pervasive system-wide issue, containment and eradication will involve a considerable investment of technological resources.
  • Physical theft, loss or damage of assets from a natural disaster could involve recovery from off-site back-ups with the main focus on external communications. Having a functioning disaster recovery plan in place is crucial.
The second step is notification which includes relevant personnel above and below the IR team manager in the reporting chain.


When your company or organization returns to normal operations, there are two steps to recovery.
  1. Service restoration based on implementing corporate contingency plans. Conducting validation, testing, and certifying the system, computer or network as operational.
  2. Any component compromised must be re-certified as both operational and secure.

Post-Incident and Monitoring

After system operations have returned to normal, there are follow-up and monitoring steps that should be conducted to ensure the process is sufficient and adequate. Moreover, the IR plan, in particular, the method and procedures are always evolving to defend and react against new threats.

These are just a few considerations for continual improvement:

  • Allow for sufficient incident preparation.
  • Allow for timely detection and investigation.
  • Ensure clear communications and protocols adequately executed. 
  • Build upon prevention tools and techniques.
It is essential to understand that having an effective IR plan in place with controlled process and procedures will provide the response team with the readiness necessary to repeat their work.

Where It Can Go Wrong

Not every IR event goes according to plan, and my experience has seen devastating results. Examples vary from rushing to respond to incidences without fulling understanding its scope and cause to a deliberate communication shut down by executives.

Here are just some of the prevailing circumstances where an IR plan fails:

  • Deliberate communication shut-down to cover-up human errors, negligence or intentional crimes. These suspicious behaviors are discovered by third-party investigators or law enforcement but do occur in organizations that get away by clamping down on the reporting and whistle-blowing.
  • Mis-communication is a considerable danger to organizations without fully understanding the scope and precise damage the incident caused. A bad disclosure can wreak havoc to employees, clients, contractors and to the general public that is directly involved.
  • Responding without understanding the full scope of the incident is very flawed. For example, if initially a backdoor is discovered and closed does not mean the conflict is resolved as other issues may be present.
  • Tipping your hand to an attacker invites them to retaliate deeper into the system allowing them to evade detection by understanding how you discovered them.
  • Legal is not involved early can cause perilous lawsuits because they cannot intervene to prepare against lack of due diligence in protecting data, loss of privacy, financial losses, and other claims.
  • Lack of talent, staff, and training often results in having the wrong people respond to incidences.  A network intrusion by an external hacker is different from one carried out by a trusted insider with privileged access to enterprise systems and data.
A CISO should have as part of their security program a solid IR plan and processes in place with the backing of all executives and board members to ensure its proper execution. They must be mindful of were common weaknesses are in the plan and move to remediate them.