A How-To Guide for Preparing your Cyber Incident Response Program

It’s Security Awareness Week at Cloudreach, and we’re bringing you a special guest blog post from our Partner Alert Logic!

What’s the Plan?

A how-to guide for preparing your cyber incident response program

Evaluating your organisation’s cyber security incident response readiness is an important part of your overall security program. But responding to a cyber security incident effectively and efficiently can be a tremendous challenge for most. In most cases, the struggle to keep up during an incident is due to either of the following:

  1. The cyber incident response plan has been "shelf-ware" for too long
  2. The plan hasn’t been practiced by the incident response team.  

Unfortunately, most organisations view cyber incident response as a technical issue—they assume that if a cyber incident response plan is in place and has been reviewed by the "techies," then the plan is complete. In reality, all these organisations have is a theoretical cyber incident response plan, one with no testing or validation. Cyber incident response plans are much more than a technical issue. In the end, they are about people, process, communication, and even brand protection.


How do you ensure your cyber incident response plan works?

The answer is: Practise your plan. You must dedicate time and resources to properly test the plan. Cyber incident response is a "use or lose skill" that requires practice. It’s similar to an athlete mastering a specific skill; the athlete must complete numerous repetitions to develop muscle memory to enhance performance. In the same way, the practice (repetitions) of testing your cyber incident response plan will enhance your team’s performance during a real incident.


Testing your plan effectively

Step 1: Self-Assessment and Basic Walk-Through

An effective methodology to test your cyber incident response plan begins with a self-assessment and simple walk-through of the plan with limited team members.  Steps should include:

  1. The incident response manager reads through the plan, using the details of a recent data breach to follow the plan.  The manager also identifies how the incident was discovered as well as notification processes.
  2. The team follows the triage, containment, eradication, and forensics stages of the plan, identifying any gaps.  
  3. The incident response manager walks through the communications process along the way, including recovery and steady-state operations.
  4. The team documents possible modifications, follow-up questions, and clarifications that should be added to the plan.

Step 2: All Hands Walk-Through

The next step to a self-assessment is the walk-through with the entire incident response team. This requires an organised meeting in a conference room and can take between 2-4 hours, in which a scenario (recent breach) is used to walk through the incident response document. These working sessions are ideal to fill in the gaps and clarify expectations for things like detection, analysis, required tools, and resources.  Organisations with successful incident response plans will also include their executive teams during this type of test.  The executive team participation highlights priorities from a business and resource perspective and is less focused on the technical aspects of the incident.

Step 3: Live Exercise

The most important step in evaluating your incident response plan is to conduct a live exercise.  A live exercise is a customised training event for the purpose of sharpening your incident response team’s skills in a safe, non-production environment. It isn’t a penetration test; it’s an incident response exercise designed to test your team’s ability to adapt and execute the plan during a live cyber attack.  It’s essentially the equivalent to a pre-season game—the team participates, but it doesn’t count in the win/loss column.  The value of a live exercise is the plan evaluation and team experience. The lessons learned usually prove to be the most valuable to the maturation of your cyber incident response plan.


Ultimately, preparedness is not just about having an incident response plan; it’s about knowing the plan, practising the plan, and understanding it’s a work in progress. The development of an excellent incident response plan includes involvement and validation from the incident response team as well as a commitment to a repetitive cycle of practice and refinement.

If you want to master threat defence in the Cloud, why not download our free Alert Logic security report?