Your Better Plan is to Create an Incident Response Plan!

Runa Tripathy   

The complexity and precision of today’s cyberattacks and add to it the sheer number of security alerts and false positives; makes it easy to understand why incident response teams suffer burnout, leaving organizations at risk.

Incident response is the course of detecting and handling a security incident, cyberattack or data breach, remediating that threat, and recovering in the aftermath. It requires analysts to fend off attackers, review the results of their response, and apply lessons learned to avoid a repeat threat. When you discover a security breach, you need to determine—in short order—exactly what happened, how it happened, the scope and impact of the compromise, and the steps you need to take to contain and remediate it. In short, it is the art of clean-up and recovery when you discover a cybersecurity breach

An incident response plan can aid as your master blueprint for navigating the challenges of a security incident, ensuring everything is thought out in advance, secured appropriately, and that everyone on the team knows exactly what to do in case of an incident. Because a security breach not only damages your business and your client but is the biggest threat to your most valuable asset – Your Reputation.

While you cannot control how, when, and why cyber attackers target your company, what you can control is the damage it brings with it. Responding effectively and swiftly to cyber incidents can go a long way in making your company resilient to them.

Let’s look at what should consider while creating a robust incident response plan:

What’s essential to mitigating the aftermath of any incident is to approach it with a plan.

Create your own Dynamic Playbook of IR:

The first and most crucial step is to create a rough sketch of your plan and you need to ensure that in your plan you key in the following:

  • Your Key stakeholders internal & external primarily the Security Dept, CISO Office, Gov team, and CIRT team. As each of them carries very crucial roles in the overall Identification, Detection & Analysis phases of Incident Response.
  • The crucial assets you want to protect.
  • Your loopholes – these can be areas where attackers are known to gain access to your environment.
  • Identify your limitations around protecting certain assets and a way to overcome them.


Once you have filled these key pointers in, what you will be doing is intuitively be building a plan that will address defense-in-depth. The heart of an incident response plan is the playbook. The playbook details the tasks and actions your organization should take in response to various incidents. What’s crucial is that you keep this playbook dynamic. You start with manual tasks and then evolve it basis your experience and with the changes in the threat landscape.

Review & Iterate Continuously:

Remember, just developing the playbook once isn’t enough when it comes to incidents. As incidents keep evolving with the changing times. You need to regularly practice and update your incident response, either internally or with the help of a consultant. In fact, this three-pronged approach really helps:

  • Review your plan to be sure it’s written in plain English so that your team can follow it—even in panic mode
  • Involve stakeholders in the process and get their buy-in on the plan
  • Map your detection capabilities to the attack chain so you can see if the plan holds up, and if not, how to tweak it


What’s also critical is that your security operations staff understand just how bad the worst can be when you’re fighting a human adversary. In fact, take help from the Incident response providers with cyber range capabilities; who can help train your team on how to respond to an incident from the initial alert through its post mortem. As incident response becomes more like muscle memory, your staff will become better equipped to handle any breach that occurs.

Automate & Orchestrate:

One of the keys to improving your Incident Response is to switch your organization from a reactive to a proactive cybersecurity stance. However, having done all the planning & testing, your team may still be overwhelmed with the continuous bombardment of incidents to investigate and alerts to sift through and the most common response and in fact, the biggest mistake we end up making is to modify policies to receive fewer alerts.

But by combining human- and machine-based intelligence to increase speed and agility, orchestration can triple incident response volume and thus freeing cybersecurity teams’ bandwidth. Similarly, by automating repetitive and time-consuming tasks, intelligent orchestration can also free up analysts’ time for more strategic priorities. In fact with Automation & Orchestration, You can eliminate the noise, identify the critical threats, and get back to your core business faster than ever.

It is important that an incident response plan is formulated, supported throughout the organization, and is regularly tested to provide for a solid foundation for rapid, nuanced reactions that will serve you, your organization, and your outside security partners well. A good incident response plan can minimize not only the effects of the actual security breach, but it may also reduce the negative publicity.