Anatomy of an Incident Response Plan

Anatomy of an Incident Response Plan

Avatar photo
Hwei Oh
7 min read
Share this article:

In our previous two articles in this series, we talked about what an Incident Response (IR) plan is and how to get your team familiar with its steps and the process using tabletop exercises. In this article, we’re going to go into detail on what happens during IR and the nitty-gritty of what makes an IR plan work.

An IR plan and robust IR strategy are both vital to ensure that a company recovers properly from an incident. Even companies with an excellent cybersecurity posture can suffer a data breach.

Faster responses to an incident reduces the cost of a data breach by over 25%, according to IBM’s Cost of a Data Breach Report for 2021. 

An investment in a proper IR plan that is thoroughly tested pays off several times over.

Let’s break down an IR plan into its most essential parts:

The 3 major phases of any incident response

When implementing an IR plan, it is important that the stakeholders involved know the overall major phases of the plan.

  1. Contain and eradicate
  2. Investigate
  3. Recover and strengthen

Phase One: Contain and Eradicate

Above all else, the attack must be stopped and the damage needs to be contained. For example, if hackers have infiltrated the company’s network and are actively controlling computers remotely, the victim’s priority should be to remove the unauthorized user’s access. If the access was initiated by a malware, it must be completely eradicated, and any infected devices should be disconnected to reduce further risk.

Containment and eradication of the threat are typically done through EDR (Endpoint Detection and Response) tools that can be used to triage the attack in detail, as well as quickly isolate infected machines to preserve the wider environment.

It’s important that IT teams continue to monitor the environment during an ongoing response to establish if any new areas are compromised or any signs of reinfection.

Once the threat has been contained, this step is considered complete.

Phase Two: Investigate

Some investigatory steps will inevitably have been done during Phase One, at least to determine the primary attack vector.

Now a deeper investigation would begin. The tech team will want immediate answers to questions such as:

  • How did the attacker get in?
  • What did they do when they got in?
  • What kind of data did they access or potentially steal?

Essentially, in order for the tech team to understand the scope of the breach and its potential impacts, it must gather forensic evidence.

Investigatory steps and discoveries should be documented to potentially provide law enforcement with any necessary data for later prosecution. It’s a good idea to keep all information discovered during the investigation even if law enforcement is not involved.

Phase Three: Recover and strengthen security

Once the damage has been assessed, the company must engage in recovery efforts. 

A full recovery might require restoring backups, decrypting data, and negotiating with threat actors if the threat is still ongoing. The company might also need to recover from any reputational damage and also involve cyber insurance in order to offset financial costs.

Finally, any discovered vulnerabilities would have to be fixed as a top priority to prevent that specific attack vector from being exploited again.

9 key elements of a successful IR plan

Good IR is not only about having the plan but also ensuring it’s operational and can be followed easily. A great plan is pointless if no one uses it.

The following are the nine most common mistakes that companies should avoid in their IR planning that prevents IR plans from being usable:

1. Don’t make it an encyclopedia

An IR plan that reads like an encyclopedia won’t be followed because it’s not actionable. People are also unlikely to read it. Even if they do, they’ll struggle to remember the key steps.

Keep IR plans succinct and prepare them as guidelines. If more detailed steps are required, put those steps in separate playbooks.

2. Make it accountable

By assigning who does what, a plan integrates accountability.

What are the roles and responsibilities of an IR plan? What does the IR team look like? Who declares an incident?

The IR plan should also include contact details for each person involved so those people can be easily reached on the day of an incident.

3. Make it actionable

Keeping the plan concise and actionable helps get the gears into motion.

For example, tackling ransomware might require numerous technical steps such tightening the network perimeter, hardening endpoints, finding backups, and disconnecting computers from the network. Instead of getting into minute details in the plan itself, the entire subject could be stated as:

  1. Tech team must contain the ransomware threat and prevent it from spreading. [refer to ransomware playbook for steps]
  2. Restore backups of affected computers if those backups are less than a few hours old. [refer to ransomware playbook for steps]

One should find the right balance between going too deeply into detail and not covering enough. If you’re too detailed, you may run into the risk of having outdated information that’s less helpful if an incident does happen. Leave the details for specific playbooks that are referred to within the plan.

4. Classify severity

The severity of an incident should be clearly defined so that executives don’t have to think about it on the day of the attack.

By defining severity criteria of high, medium, and low, the response team will know how involved they’ll need to be as well as the urgency of response. Ransomware attacks, for example, are always high-severity attacks because they can bring down an entire organization.

5. Include stakeholders

All stakeholders in the incident, both internal and external, must be known and their contact information listed.

Internal stakeholders are people such as business representatives, technical teams, legal, and PR. External stakeholders could be an insurance provider, an external IR team, external legal counsel, law enforcement, and regulators.

One key mistake companies make is to think of this as nothing more than a Rolodex. It isn’t. These are the relationships that must be nurtured long before any incident. An IR response shouldn’t feel like a pickup game. The team should know its members, both internal and external, so that everyone hits the field running on the day of an attack. 

6. Use playbooks

The IR plan doesn’t need to be granular — that’s what playbooks are for. But even playbooks should be succinctly written with only the essential information required to spur action on the day.

Attacks are also all different, and an IR plan cannot be expected to cover each one in a single document. Playbooks could be written for each type of attack, such as one for ransomware, another for a Business Email Compromise (BEC) attack, and so on.

7. Include the entire organization

Another common error is that the IR plan is too hyper-focused on a single application, department, or business unit. The plan should focus on the organization as a whole and the ramifications of an attack on every aspect of a business.

When the entire organization is not included in the plan, it can miss nuances that open up further security holes or expose the company to other risks, such as fines or reputation damage.

8. Make the plan understandable to everyone

The executive team is unlikely to understand the technical steps required in mitigating an attack. But they also don’t need to, at least not at a granular level.

They should however understand the overall concept of what’s being done and why. This is why it is vital to separate the IR plan from the individual playbooks. The IR plan itself should be understood by all. The playbooks can get into role-specific details.

Executives need to primarily understand the objectives of the tech team, and how these objectives can affect executive obligations and decisions.

9. Make the phases understandable

The IR plan’s three primary phases — Contain, Investigate, Recover — each have a definite beginning and an end. The path from beginning to end will rarely follow the same route twice. There are forks depending on what decisions are made, and on the nature of the attack.

But everyone should at least have an understanding of the major phases of the IR plan, and what defines the beginning and end of each.


At a broad level, IR responses follow the same pattern, much like all ice cream is made from milk and sugar but the flavors can be wildly different depending on additional factors.

Companies that don’t have a well-defined IR plan that has been thoroughly tested inevitably suffer more financial loss from a data breach, so it is vital to implement an IR plan in your company regardless of how otherwise robust your security posture is.

To this end, SolCyber has partnered with expert IR company Surefire Cyber to ensure that we can offer a turnkey cybersecurity solution to all our clients, including the ability to respond swiftly to any attack.

To learn more about how SolCyber can help you implement an effective IR plan that rapidly addresses any attack, contact us for a no-obligation consultation.

Avatar photo
Hwei Oh
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

The world doesn’t need another traditional MSSP or MDR or XDR.
What it requires is practicality and reason.

And security that won’t let you down. It's time to put an end to the cyber insanity once and for all.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!


Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

SolCyber. All rights reserved
Made with
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo