Learn why your organization needs it.

3 Reasons Why You Need an Incident Response Plan

Today, cyberattacks are frequent and indiscriminate, striking small businesses and large corporations alike. Research shows that over 60% of organizations worldwide have experienced a cyber security incident at least once, and over 50% of attacks targeted SMBs.

Dealing with a cyber incident can be costly business. In a recent example, an attack directed at INRS — a university in Quebec — put the systems of this Canadian academy completely out of order. The cost of restoring them amounted to almost $270,000. 

But despite just how devastating these attacks are, 77% of organizations still lack incident response strategies or apply them haphazardly, an IBM Security study shows.

Having no clear instructions on what to do during a breach puts security teams in a vulnerable state — it is unlikely that under stress such teams will perform optimally. And this means mistakes and exacerbated damages. 

One of the steps to correcting this is creating a cyber incident response plan.

What is a cyber incident?

But before we jump into the details of creating a plan, let’s first establish a definition to understand what constitutes a cyber incident.

NCSC defines a cyber incident as a breach of security policy that compromises the integrity of the system or gives unauthorized access to a third party

There are many cybersecurity threats capable of creating a breach. Here are just some, that small and medium businesses have to grapple with: 

  1. Malware: malicious programs such as trojans, info stealers, and ransomware
  2. Phishing: social engineering attempts to trick employes into revealing login credentials or installing destructive malware
  3. Password Hacking: gaining access by cracking weak passwords
  4. Insider Threats: confidential information accidentally or purposefully leaked by employes

Why do you need a cyber incident response plan?

Here are 3 reasons why a cybersecurity incident response plan is crucial for effective defense:

1. It prepares you to fend off cyber threats

And reduces the amount of damages incurred during incidents. Without a plan, security teams are forced to wing it every time they deal with a threat. This can leave them scumbling, not knowing where to look and what to search for. The result? Higher recovery costs.

2. You may be lawfully required to have a cyber response plan

Depending on the jurisdiction and the type of business, creating a response plan might be a  requirement for you, not a choice. This is especially true for companies that deal with finance or personal data. For example, the California Consumer Privacy Act (CCPA) mandates that companies have a cyber incident response strategy. It’s also a must for the ISO 27001 certification.

3. It makes your defense more resilient in the long run

With a cyber incident response plan, you will implement a policy of constant evaluation and reiteration. You will learn how to collect data during an incident, then, use the findings to harden your defenses. All of this will help avoid similar incidents going forward. 

What is a cyber incident response plan?

An incident response plan is a document that provides a systematic approach to handling different cyber threats. 

At the very least, the plan should outline how to prepare for, detect, contain and eradicate the threat. Then, restore the system to its pre-attack state while also hardening it. Finally, correct the errors that made the incident possible. 

But a great plan goes beyond just dealing with malware. It should also consider your communication, PR, legal repercussions, and even cybersecurity insurance

  • How do you notify users that their data is not safe?
  • Are you legally protected in case of a leak?
  • Will you control potential public fallout yourself or with a PR partner? 
  • Who in your team is responsible for communication with the users?  

These are the types of questions you want to have prepared answers for.

6 phases of an incident response process 

Incident response plans are structured in such a way as to provide directions chronologically, preventive actions at the top of the document and post-incident recovery towards the end.  

Depending on a school of thought, response plans will have 4 to 6 phases. (Sometimes containment, eradication, and recovery are merged into one large block).

Six phases of an incident response process

Here’s a quick summary of what to consider as you make out the plan for each:

1. Preparation 

This phase is all about getting ready: naming people in charge, assigning battle stations, preparing a war room (yes, that’s an actual thing that people do), and listing attack vectors and attack handling procedures. This way if a breach does happen, your team will know exactly how to act and will stay organized. 

2. Identification

Detecting that you’ve been hit is probably the most difficult part of incident response. But you can increase the chances of finding attack precursors and early indicators by establishing and following logging and monitoring policies. Also, you can use ANY.RUN online malware sandbox to view processes created by certain malware and cross-reference them with the activity in your own system.

3. Containment

The containment phase is about quarantining the infection: shutting down a system, revoking account permissions or disabling certain functions are some of the available strategies for isolating malware. Keep in mind that your tactics and instruments will change based on what type of attack you’re experiencing. 

4. Eradication

The goal of the eradication phase is to stop the attack completely in its tracks. Some of the instruments used at this stage overlap with the containment phase, and again, your options will change depending on the nature of the incident. For example, in a phishing attack you can suspend a compromised account to disarm the attacker. And a malware infection can be eradicated by restoring the system from a clean snapshot. 

5. Recovery

During the recovery stage, your goal is to get the business process up and running again while also hardening the system. For instance, restore affected components from a trusted backup and patch out any vulnerabilities that were exploited in the incident.

6. Lessons Learned

The final phase of the plan deals with reiterating on your security practices, armed with the knowledge obtained during the incident. Evaluate the errors that led to the attack, make corrections, and add new policies to the incident response plan.

Going in-depth

And if you really want to sink your teeth into all the details of creating a response plan, reference the NIST Computer Security Incident Handling Guide. Just remember that not every organization needs to go this in-depth. It all depends on the type and size of your business. 

Useful tools in the incident response jump kit  

Here, we’ve listed some tools that you’ll want to keep handy, as well as useful practices for different stages of the response process. 

PreparationIdentificationContainment, eradication, recovery

Emergency phonebook

So you know who to contact in
an incident, both inside the team
and out. 

to analyze suspicious files
and links, perform digital forensics

System snapshots

To roll back the system
to a clean state
using a trusted backup
Log Retention Policy

Determines how long
the data is kept
to help security
specialists perform analysis
Incident Databases

Resources such as
the ANY.RUN trends tracker
help keep track of
and study existing threats

Incident Prioritization Table

A formal classification
of incident difficulty
that helps choose
a containment approach:
immediate or strategic

Normal behavior threshold 

Establish a guideline
for what is normal
system behavior
to detect anomalies
Event correlation

This is a practice
of comparing logs
to find discrepancies

File backups

Backups of the code
stored on a dedicated
server can be used to
replace compromised
files with clean ones

Using a sandbox to identify threats

Identifying malware in an infected machine is pretty much like looking for a needle in a haystack. 

But if you know exactly where to search, suddenly you’re scanning that same haystack with a metal detector, and pulling the needle out with a magnet.

Malicious programs leave behind bread crumbs in the form of files, processes, and network activity — these are Indications of Compromise or IOCs, and they are unique to each malware family. There are organizations that record and catalog such traces in public databases. For example, ATT&CK MATRIX

As long as you know what activity hints at the presence of malware, you can check if such activity took place in a system. This can be useful, for example, to quickly identify which clients have been infected in an organization.

This is where sandboxes come into place. Using an isolated virtual environment, you can force the malware to execute and collect as many bread crumbs as you need.

For example, in this FormBook task, we can see how ANY.RUN generated a cyber security incident report which revealed all processes created by the trojan. 

FormBook task in ANY.RUN

We can see them even more clearly in the process graph — an informative ANY.RUN feature.

A process graph in ANY.RUN

This overview gives us a broad idea how to identify this sample in hosts, where it could potentially evade detection and persist. We can do this by running triage sessions over our assets, for instance, using PowerShell.


Cyber incident response is a broad topic — every company is a little bit different and requires a unique approach to security. There are countless threats, attack vectors and handling strategies to consider, and they change based on the type of business and industry. 

Perhaps, this is why so many organizations avoid creating cyber incident response plans. And it really does seem like a daunting task. But don’t let this stop you — even a basic strategy is better than no strategy at all. And a lot of smaller businesses can keep it basic.

Just remember the generation old wisdom — better safe, than sorry.

Questions and answers (Q&A) 

  • What is a cyber incident?

A cyber incident is a breach of security policy that compromises a system’s integrity or gives a perpetrator an unauthorized access to a system. 

  • What is a cyber incident response plan?

A cyber incident response plan is a document that outlines a company’s incident handling policies in 6 phases: Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned.  

  • Why do I need a cyber incident response plan?

A cyber incident response plan helps security teams respond to breaches in an organized and thorough way, ensuring complete recovery from an incident.

  • What is the main reason for an organization to develop an incident response plan?

A cyber incident response plan helps organizations manage threats in an effective manner, and leads to lower recovery costs. This is important because a successful cyberattack can induce hundreds of thousands of dollars worth of damages.

  • What tools can help me respond to incidents effectively?

There are many digital forensics tools that are useful during the identification and containment stages. For example, ANY.RUN online malware sandbox can help collect Indicators of Compromise (IOCs) quickly and efficiently.

Notify of
Inline Feedbacks
View all comments