{"id":5604,"date":"2023-08-17T07:47:17","date_gmt":"2023-08-17T07:47:17","guid":{"rendered":"\/cybersecurity-blog\/?p=5604"},"modified":"2023-08-17T07:48:52","modified_gmt":"2023-08-17T07:48:52","slug":"incident-response-plan-templates","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/","title":{"rendered":"What is an Incident Response Plan: 6 Example Templates and Definition\u00a0"},"content":{"rendered":"\n<p>Having an incident response plan is key to minimizing potential damage from a cyberattack. \u00a0<\/p>\n\n\n\n<p>According to <a href=\"https:\/\/www.ibm.com\/reports\/data-breach-action-guide#:~:text=Data%20breach%20costs%20averaged%20USD,Breach%20Report%20has%20been%20published.\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">research<\/a>, the <strong>average cost of a data breach is USD 4.35 million<\/strong>. However, companies that regularly update their incident response plans were able to save USD 2.66 million on average.\u00a0<\/p>\n\n\n\n<p>An incident response plan helps to detect threats faster, contain them more effectively, and isolate infrastructural and reputational damage.\u00a0<\/p>\n\n\n\n<p>In <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;amp%3Butm_medium=article&amp;amp%3Butm_campaign=incidentresponsetemplates&amp;amp%3Butm_content=landing\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, we specialize in malware analysis \u2014 however, cybersecurity is a vast field that goes beyond malware research. In this educational article, then, we\u2019ve collected general information about incident response planning: what is it, what goes into it and why do you need it? \u00a0<\/p>\n\n\n\n<p><strong>We\u2019ll go over:\u00a0<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What are some of the common components of an incident response plan&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How some industry-standard templates look like and where to find them\u00a0<\/li>\n<\/ul>\n\n\n\n<p>Remember that this article is meant to be educational. Incident response is a very complex topic and there is no one-fit-all approach. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is an incident response plan?&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s get started by defining what an incident response plan actually is.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/incident-response-and-digital-forensics\/\" target=\"_blank\" rel=\"noreferrer noopener\">An incident response plan<\/a> is a systematic approach that outlines the processes to follow when a cybersecurity incident such as a data breach or advanced persistent threat occurs. Implementing this plan ensures that an organization can respond swiftly, reducing potential damage.\u00a0<\/p>\n\n\n\n<p><strong>Most incident response plans follow 6 stages<\/strong>, defined in standards like NIST&#8217;s Special Publication 800-61. These stages form a systematic approach to handling cybersecurity incidents:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Preparation<\/strong>: developing the plan and team.&nbsp;<\/li>\n\n\n\n<li><strong>Identification<\/strong>: recognizing the incident.&nbsp;<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/\" target=\"_blank\" rel=\"noreferrer noopener\">Containment<\/a><\/strong>: preventing further spread.\u00a0<\/li>\n\n\n\n<li><strong>Eradication<\/strong>: removing the threat.&nbsp;<\/li>\n\n\n\n<li><strong>Recovery: <\/strong>restoring functionality.&nbsp;<\/li>\n\n\n\n<li><strong>Lessons Learned<\/strong>: analyzing and improving.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The stages are designed to create a loop of learning and adaptation. They help companies learn from past incidents and make the incident response procedure more effective with each iteration.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Common parts of an incident response plans&nbsp;<\/h2>\n\n\n\n<p>Most incident response plan documents follow a similar proven structure and share standard components:\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/g7a6AFRwPj_gm-rEmyPjagcRxT3TzoCvagosNwdckpjwH6ansJbOQRZ6P9_EYlHE9FCJLesFSGzwYD6Dmhua0boKNospAz0sdyIn86XZpQ4UWZyKvgOLBVMTq_xUAmMnSVm6I0i5VonzMHVvzPoypS3U5QgKcXnY3EyxjPEaBJUUyj_NhWFkvWD2WLGdAw\" alt=\"Six phases of an incident response process \"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Purpose. <\/strong>The purpose section defines the scope, objectives, and priorities of the incident response plan. It provides a clear understanding of what the plan aims to achieve, aligning it with the organization&#8217;s overall cybersecurity strategy.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Testing and updating. <\/strong>This section outlines the procedures for regularly testing and updating the incident response plan. The cybersecurity landscape is constantly changing, and a plan that&#8217;s not regularly tested and updated can quickly become outdated.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Roles and responsibilities. <\/strong>Detailing the roles and responsibilities is crucial for a coordinated response. This section clearly defines who is responsible for what during an incident, eliminating confusion and ensuring that critical tasks are carried out efficiently.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Response checklist<\/strong>. A step-by-step guide for handling an incident. It includes specific actions to take at each stage of the response, from initial detection to resolution.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How a plan helps to respond to threats more effectively&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/3-reasons-why-you-need-an-incident-response-plan\/\" target=\"_blank\" rel=\"noreferrer noopener\">An incident response plan <\/a>enables the security team to follow a proven sequence of effective steps, even under stress.\u00a0\u00a0<\/p>\n\n\n\n<p>For example, one of the steps most plans will include is to thoroughly document compromised systems. This is something that\u2019s easy to overlook in the heat of the moment. However, a lack of documentation can lead to failure later when it\u2019s time to contain and eradicate the threat. Forget isolating one infected component opens the door for malware to propagate further into the system.\u00a0\u00a0<\/p>\n\n\n\n<p>A plan ensures that nothing crucial is overlooked, and everyone on the team knows their exact responsibilities and what actions they\u2019re expected to take in what order.&nbsp;<\/p>\n\n\n\n<p><strong>In short, an incident response plan:\u00a0\u00a0<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ensures coordination: <\/strong>keeps the whole team aligned.&nbsp;<\/li>\n\n\n\n<li><strong>Provides clarity<\/strong>: outlines specific responsibilities.&nbsp;<\/li>\n\n\n\n<li><strong>Guides actions<\/strong>: defines the sequence of steps.&nbsp;<\/li>\n\n\n\n<li><strong>Prevents oversights<\/strong>: focuses on crucial details, like identification and containment steps.&nbsp;<\/li>\n\n\n\n<li><strong>Minimizes risk<\/strong>: reduces the chance of further propagation.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6 template examples of incident response plans\u00a0<\/h2>\n\n\n\n<p>If you are looking for a very comprehensive plan, consider these 4 frameworks for incident response:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. NIST SP 800-61&nbsp;<\/h3>\n\n\n\n<p>NIST SP 800-61, revised in 2012 by the U.S. National Institute of Standards and Technology, is a complete guide to incident handling. It emphasizes the coordination between legal and technical aspects, especially in the U.S.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>Use if:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Look into this template if your organization is subject to U.S. federal regulations.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Where to download it:<\/strong>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/61\/r2\/final\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Link to file<\/a>\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. ISO\/IEC 27035-2&nbsp;<\/h3>\n\n\n\n<p>The ISO\/IEC 27035-2 is a globally recognized incident response standard. This paid template focuses on security team formation, policy development, and management through regular reviews and updates.\u00a0\u00a0<\/p>\n\n\n\n<p><strong>Use if:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Consider this template if you are a member of a large organization implementing security policies for the first time&nbsp;<\/li>\n\n\n\n<li>Use it when standard compliance is important, such as for financial organizations&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Where to download it:<\/strong>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.iso.org\/standard\/78974.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Link to file<\/a>\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. SANS Incident Response Process&nbsp;<\/h3>\n\n\n\n<p>Our own template is partially based on this whitepaper. Developed by SANS Institute, this framework focuses the most on detailing steps to take during an incident \u2014 including where to look for clues in different systems.&nbsp;<\/p>\n\n\n\n<p><strong>Use if:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Legal compliance, policy building, and external communication is less of a focus for your team\u00a0<\/li>\n\n\n\n<li>Your team in charge of an incident investigation is at least partially or fully comprised of general IT specialists\u00a0<\/li>\n<\/ul>\n\n\n\n<p><strong>Where to download it:<\/strong>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.sans.org\/white-papers\/33901\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Link to file<\/a>\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. CERT Resilience Management Model (CERT-RMM)&nbsp;<\/h3>\n\n\n\n<p>Carnegie Mellon University&#8217;s CERT-RMM focuses on a more holistic perspective of incident handling, describing components, stages, and parties involved in an incident. This can be beneficial to larger enterprises seeking alignment with overall business strategies. However, the information might be too generalized for teams looking for actionable advice.\u00a0<\/p>\n\n\n\n<p><strong>Use if:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You are looking for strategic guidance rather than step-by-step incident handling advice&nbsp;<\/li>\n\n\n\n<li>You need a description of the phases and components of incident responding\u00a0<\/li>\n<\/ul>\n\n\n\n<p><strong>Where to download it:<\/strong>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.cmu.edu\/iso\/governance\/procedures\/incidentresponseplanv1.6.pdf\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Link to file<\/a>\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. CIS Controls Implementation Guide&nbsp;<\/h3>\n\n\n\n<p>The Center for Internet Security (CIS) offers guidance for implementing essential security controls. This framework is centered on best practices for the prevention and detection of cybersecurity threats.\u00a0<\/p>\n\n\n\n<p><strong>Use if:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your organization needs a comprehensive set of controls that go beyond just incident response.&nbsp;<\/li>\n\n\n\n<li>You are aiming for a broad approach to security, including policy development, prevention, and recovery.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Where to download it:<\/strong>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.cisecurity.org\/controls\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>Link to website<\/strong><\/a>\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6. Cloud Security Alliance (CSA) Incident Response Framework&nbsp;<\/h3>\n\n\n\n<p>CSA&#8217;s Incident Management Guide is designed for organizations utilizing cloud services. It emphasizes the unique considerations, strategies, and protocols necessary for incident handling in a cloud environment.&nbsp;<\/p>\n\n\n\n<p><strong>Use if:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your organization relies heavily on cloud-based systems and needs guidance tailored to that environment.&nbsp;<\/li>\n\n\n\n<li>You need to align your incident response planning with cloud security best practices.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Where to download it:<\/strong>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/cloudsecurityalliance.org\/artifacts\/cloud-incident-response-framework\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Link to CSA Guide<\/a>\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">More useful resources&nbsp;<\/h2>\n\n\n\n<p>A plan is usually at the core of an incident response strategy, but there are more useful tools you can add to your toolbox. Here, we\u2019ve collected some of them:\u00a0<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-12\"\n           style=\"border-collapse:separate;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"9\"\n           data-wpID=\"12\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-center wpdt-bold wpdt-fs-000018 border-separate \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:35.795454545455%;                    padding:10px;\n                    \"\n                    >\n                                        Preparation\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-center wpdt-bold wpdt-fs-000018 border-separate \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:28.787878787879%;                    padding:10px;\n                    \"\n                    >\n                                        Identification\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-center wpdt-bold wpdt-fs-000018 border-separate \"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:35.416666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Containment, eradication, recovery\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-valign-top wpdt-align-left wpdt-bc-FFFFFF wpdt-bold border-separate \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Emergency contact directory\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-valign-top wpdt-align-left wpdt-bc-FFFFFF wpdt-bold border-separate \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ANY.RUN\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-valign-top wpdt-align-left wpdt-bc-FFFFFF wpdt-bold border-separate \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        System restoration snapshots\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-bc-FFFFFF wpdt-valign-top border-separate \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        A guide to reach key individuals within and outside the team during a security incident\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-bc-FFFFFF wpdt-valign-top border-separate \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Utilize it to examine malicious files and connections, execute digital forensics tasks.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-bc-FFFFFF wpdt-valign-top border-separate \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Employ these to revert a system to a verified clean state using a trusted backup solution.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left wpdt-bold border-separate \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Log retention guidelines\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left wpdt-bold border-separate \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Threat trackers\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left wpdt-bold border-separate \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        File Backups                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top border-separate \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defines how long data is kept to help security specialists analyze it.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top border-separate \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Use tools like the ANY.RUN trends tracker to follow and study current threats.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top border-separate \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Keep code backups on a separate server to replace compromised files with clean ones.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-bold wpdt-align-left border-separate \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Communication Plan\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-bold wpdt-align-left border-separate \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Network monitoring tools                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-bold wpdt-align-left border-separate \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Recovery playbooks\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top border-separate \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0Detailed plan for internal and external communication during an incident.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top border-separate \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Tools to watch network traffic for anything suspicious.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top border-separate \"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Step-by-step guides to help bring affected systems back to normal.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left border-separate \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Asset Inventory\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left border-separate \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Log comparison guidelines                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left border-separate \"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Incident Prioritization Table\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top border-separate \"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        A complete list of all critical assets to prioritize during an incident.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top border-separate \"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Checklists that help narrow down data in logs to find any differences that stand out.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top border-separate \"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        A guide to choose immediate or strategic containment based on incident complexity.\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-12'>\ntable#wpdtSimpleTable-12{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-12 td, table.wpdtSimpleTable12 th { white-space: normal !important; }\n.wpdt-fs-000018 { font-size: 18px !important;}\n.wpdt-bc-FFFFFF { background-color: #FFFFFF !important;}\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Utilizing a sandbox environment to detect threats\u00a0<\/h2>\n\n\n\n<p>Sandboxes are essential tools during incident response and investigations. They create a controlled virtual space where malware can be made to run. This helps analysts to see how exactly It interacts with the system.\u00a0<\/p>\n\n\n\n<p>Consider this <a href=\"https:\/\/app.any.run\/tasks\/03ecbb8a-c766-4581-a011-c63e1963faaf\/?utm_source=anyrunblog&amp;amp%3Butm_medium=article&amp;amp%3Butm_campaign=incidentresponsetemplates&amp;amp%3Butm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">Redline task we executed in ANY.RUN<\/a>. The sandbox reveals a lot of useful information right off the bat, but let\u2019s focus on two: \u00a0<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IOCs&nbsp;<\/li>\n\n\n\n<li>MITRE ATT&amp;CK Matrix\u00a0<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"545\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-2-1024x545.png\" alt=\"IOCs in ANY.RUN\" class=\"wp-image-5607\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-2-1024x545.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-2-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-2-768x408.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-2-1536x817.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-2-370x197.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-2-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-2-740x394.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-2.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>For example, the IOCs report shows malicious DNS and IP addresses that hosted Redline\u2019s C2 server while running the task. This is the information we can use when searching in network logs. \u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-1024x566.png\" alt=\"MITRE ATT&amp;CK Matrix\u00a0in ANY.RUN\" class=\"wp-image-5605\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-1536x849.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-740x409.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The attack matrix helps to align suspicious and malicious actions, which were automatically detected by the sandbox, with known techniques and malware families.&nbsp;<\/p>\n\n\n\n<p>For example, we can see that ANY.RUN detected the use of Credentials from the Web Browsers Technique. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Main takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Having a plan can help you respond to an incident more effectively<\/strong>. Tt minimizes potential damage from cyberattacks and can save an average of USD 2.66 million according to IBM&#8217;s research.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>There are must-have components to effective incident response strategies<\/strong>. Most plans follow six stages first defined in NIST&#8217;s Special Publication 800-61 \u2014 Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Most plans follow the same framework<\/strong>. They include similar components. Typically, these are Purpose, Testing and Updating, Roles and Responsibilities, and a Response Checklist, each serving a distinct goal.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>There is no one-fit-all plan<\/strong>. We looked at some of the well-known frameworks, including NIST SP 800-61, ISO\/IEC 27035-2, SANS Incident Response Process, and CERT Resilience Management Model, each suitable for different organizational needs.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">A few words about ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Request a demo today and enjoy 14 days of free access to our Enterprise plan.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;amp%3Butm_medium=article&amp;amp%3Butm_campaign=incidentresponsetemplates&amp;amp%3Butm_content=trial\" target=\"_blank\" rel=\"noreferrer noopener\">Request demo \u2192<\/a>\u00a0<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Having an incident response plan is key to minimizing potential damage from a cyberattack. \u00a0 According to research, the average cost of a data breach is USD 4.35 million. However, companies that regularly update their incident response plans were able to save USD 2.66 million on average.\u00a0 An incident response plan helps to detect threats [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":5610,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[10],"class_list":["post-5604","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-cybersecurity"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Incident Response Plan: 6 Example Templates<\/title>\n<meta name=\"description\" content=\"We&#039;ve collected 6 templates and resources to help those beginning to explore or apply incident response strategies.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack Zalesskiy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/\"},\"author\":{\"name\":\"Jack Zalesskiy\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"What is an Incident Response Plan: 6 Example Templates and Definition\u00a0\",\"datePublished\":\"2023-08-17T07:47:17+00:00\",\"dateModified\":\"2023-08-17T07:48:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/\"},\"wordCount\":1529,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"cybersecurity\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/\",\"name\":\"Incident Response Plan: 6 Example Templates\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-08-17T07:47:17+00:00\",\"dateModified\":\"2023-08-17T07:48:52+00:00\",\"description\":\"We've collected 6 templates and resources to help those beginning to explore or apply incident response strategies.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"What is an Incident Response Plan: 6 Example Templates and Definition\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jack Zalesskiy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"caption\":\"Jack Zalesskiy\"},\"description\":\"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Incident Response Plan: 6 Example Templates","description":"We've collected 6 templates and resources to help those beginning to explore or apply incident response strategies.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/","twitter_misc":{"Written by":"Jack Zalesskiy","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/"},"author":{"name":"Jack Zalesskiy","@id":"https:\/\/any.run\/"},"headline":"What is an Incident Response Plan: 6 Example Templates and Definition\u00a0","datePublished":"2023-08-17T07:47:17+00:00","dateModified":"2023-08-17T07:48:52+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/"},"wordCount":1529,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["cybersecurity"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/","url":"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/","name":"Incident Response Plan: 6 Example Templates","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-08-17T07:47:17+00:00","dateModified":"2023-08-17T07:48:52+00:00","description":"We've collected 6 templates and resources to help those beginning to explore or apply incident response strategies.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/incident-response-plan-templates\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"What is an Incident Response Plan: 6 Example Templates and Definition\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","caption":"Jack Zalesskiy"},"description":"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5604"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=5604"}],"version-history":[{"count":3,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5604\/revisions"}],"predecessor-version":[{"id":5615,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5604\/revisions\/5615"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/5610"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=5604"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=5604"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=5604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}