The basics of Incident Response Planning: how do you do it?

October 22, 2021
John Bruggeman
Consulting CISO

Since we are in the middle of Cybersecurity Awareness Month, I want to know about your incident response plan or IRP. When you created your cybersecurity program, how did you go about developing an incident response plan for your information security team? What steps did you take? Who did you involve?

Some of you might be thinking, “I don’t have time to create an Incident Response Plan, John!”

Well, ok, I understand that, but think of this analogy: You are the coach of a high school basketball team, and you’re getting ready to play your first league game. Have you practiced at all? Have you run a few drills? Do you know who on your team is good at shooting the ball? Who’s good at passing the ball? Who’s good at defending? Who do you want as the captain of the team? Who do you not want on the team? Who might be best holding a clipboard or keeping score?

Would you put your team on the court without any plan or any practice? I don’t think you would. You would want to be as prepared as possible before you put your team on the court.

So today I want to talk about the basics of creating your IRP, about planning and being prepared for something more dangerous to you and your company than a basketball game.

An IRP can be customized for your specific company or organization of course, but you will want to cover this basic format for three general types of incidents: High, Medium, and Low. Sometimes these are called Priority 1, 2, or 3 incidents and sometimes they are given colors, like red, yellow, and blue. Regardless of the scale you use, the following information below is a general guide for WHAT you want to do when you respond to an incident.

High Level Incidents or Priority 1

Suggested steps for response and remediation for High Level Incidents or Priority 1 (Examples: Active ransomware, data exfiltration, or other obvious malicious activity)

Time frame to respond: 2 hours or less

  1. Assess the size and scope of the incident. Investigate alerts from end point security tools or intrusion detection systems and log any new detections.
  2. Isolate affected endpoint(s) from the network to prevent malware from moving laterally throughout the environment using network management tools.
  3. Kill running process(es) associated with malware if possible.
  4. Delete malicious binaries if possible.
  5. Block command-and-control IP addresses at network perimeter firewall.
  6. Ban malicious MD5 or SHA2 hashes with whitelisting tool or other relevant product.
  7. Remove persistence mechanisms (scheduled tasks, autorun keys in the registry, etc.).
  8. Minimize risk of a future attack by identifying vulnerability used in the attack and implement technical or administrative controls.
  9. Review account usage involved in the incident and reset passwords, limit administrative access where possible, and disable unnecessary file-sharing access.
  10. Re-image infected systems and patch identified vulnerabilities
  11. Mark relevant detections and alerts as repaired in Incident tracking tool.

Escalation Procedure

  1. Helpdesk or MSP will contact appropriate incident responder(s) based on pre-determined asset value/department/data owners, who will initiate pre-defined response plan specific to the severity and type of incident.
  2. Complete scoping assessment to determine which systems and data were affected by the incident.
  3. Notify appropriate personnel if scoping assessment determines that the sensitive data was affected by the incident and escalate as needed.
  4. Notify relevant managers when the incident has been successfully resolved/remediated.
  5. Prepare post-incident report documenting response process and distribute to appropriate personnel.

Medium Level Incidents or Priority 2

Suggested steps for response and remediation for Medium Level Incidents or Priority 2 (odd behavior from web browser like redirecting to support website, or desktop application requesting login credentials)

Time frame to respond: 2-4 hours

  1. Assess the size/scope of the incident.
  2. Investigate alerts from network and endpoint security tools and acknowledge any new detections.
  3. Isolate affected endpoint(s) from the network to prevent malware from moving laterally throughout the environment.
  4. Kill running process(es) associated with malware if possible.
  5. For suspicious activity, investigate details within endpoint data and determine if behavior is legitimate or malicious.
  6. Delete any malicious binaries present on the end point(s).
  7. If possible, block malicious files via MD5 or SHA2 hashes with AV or End Point protection tool.
  8. Mark relevant detections and alerts as resolved/remediated.

Escalation Procedure

  1. Helpdesk or MSP will initiate remediation within 2 to 4 hours.
  2. Document response actions and notify management as needed upon repair/remediation.

Low Level Incidents or Priority 3

Suggested steps for response and remediation for Low Level Incidents or Priority 3 (adware, add-on search toolbars, peer-to-peer software)

Time frame to respond: 24–48 hours

  1. Acknowledge detection(s), open a helpdesk ticket.
  2. Kill running process(es).
  3. Contact affected end user.
  4. Uninstall unwanted programs.
  5. Mark as remediated.

Escalation Procedure

  1. Helpdesk or MSP will fix/remove the malware within 24 to 48 hours, depending on SLA.
  2. Document response actions and notify management as needed upon repair/remediation.

If creating an incident response plan still looks like more work than you have time for, remember that cyber attackers spend all of their time looking for your network’s weak spots. Like any good game plan, your IRP will create a stronger, more nimble team with the skills to respond to those attacks and beat your opponents.

After you make you plan with your Information Security Team (even if it’s your regular IT guys who have a dual role doing InfoSec), you need to practice it. Not every day, but once a quarter. Then again, depending on your environment, you might end up practicing it every day because you have a lot of incidents. I hope that’s not the case, and I hope this helps you and your organization on the road to a safer and more secure work environment.

Need more help with your cyber defense? Contact the CBTS cybersecurity team today.

More tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:

What is Cyber Insurance and do I need it?

Can you be ransomware-proof? Is that even possible?

Getting ransomware-proof, continued: CIS controls for medium-size organizations

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!
Zero Trust Networks (ZTN): what are they and how do I implement one?

Subscribe to our blog