Incident Response: Developing an incident response process

13:46 26 March in attack, hack, Incident Response

We’ve written a few articles recently on the topic of incident response, without ever stopping to explain what we actually mean when we talk about ‘incident response’ in a cyber security context. So today we’re going to rectify that, and give you some pointers for developing your own incident response plan.

What is cyber security incident response?


Very simply it’s the plans and procedures you have in place, and then follow, for when something goes wrong and endangers your information and computers. It is often, but not always, a response to a malicious incident of some kind (e.g. someone hacking your website). An effective incident response plan will ensure you minimise the impact of said bad event to your organisation, and are able to recover data and services (if relevant) as quickly as possible.

Incident response is, like many aspects of cyber security, something people struggle with often because they simply don’t know where to start, and if you google the topic there is lots of complicated looking advice. However it’s not something that’s inherently complicated, and most organisations can develop effective incident response plans easily enough.

Developing an incident response plan

The easiest way to begin developing an incident response plan is to think of some likely scenarios. When thinking about all that could go wrong in cyber security most people think of dramatic events a la Sony, and are immediately overwhelmed. However the majority of cyber security incidents are much more mundane, despite SOC (Security Operations Centre) analysts claiming it’s all cyber war with Chinese state backed hackers when you meet them in the pub. That’s not to say devastating hacks don’t happen – they clearly do, and they should be something you consider, but start small and work up.

Examples of common incidents which require some sort of response include:

  • Lost or stolen laptops
  • Lost or stolen USB devices
  • Suspicious emails
  • Virus infection

These kinds of events happen to companies every day, and yet without proper handling can potentially have a significant impact on an organisation.

So you have some sample scenarios. Step 2 is to think about the questions that need to be asked, and steps that need to be taken to resolve the incident (remembering your goal should be to minimise the impact to your organisation). In our laptop example you might do the following:

  • Was the laptop encrypted (hopefully, yes!)?
  • What data was on the laptop?
  • Was it turned off or locked when it was stolen or lost?
  • What remote access did the employee have?
  • If they did have remote access, should you disable or suspend these accounts until passwords can be reset? Do you know how to get that done in a hurry?
  • Who needs to be informed of the incident? Should you tell management? Report it to the police?

Next you need to validate any assumptions you have made, and fill in any blanks. The best, and I think the easiest, way to do this is to get all the relevant people together in a room and walk through each of your scenarios. See if they agree with the steps you have recommended, or if they spot gaps. Go through each scenario multiple times too – a lost laptop on a Tuesday afternoon will not be handled the same way as a lost laptop on a Saturday morning.

Your outcomes from this walkthrough process should be agreed actions for a range of likely scenarios. You also will want to have agreed some communications – where in the scenario might you tell other staff about the incident? What about your customers? Contact lists are also important – it’s one thing knowing who to call in the office, but another if it’s a Saturday night you’ve just left the pub and you need to get hold of the head of IT.

What else?

You need to validate your plans periodically. People leave the organisation, get new phones etc. And you may have new lines of business, or new ways of remote working all of which require a different form of response. Again, the easiest and most effective way to test any assumptions (and ensure contact lists are up to date) is to get all relevant people together in a room and walk through them. Bribe them with biscuits if necessary.

As always, if you have questions please get in touch! Find us on twitter, or use the contact form.

The Cyber Security Expert