Prepare for the Worst: How to Create a Cyber Security Incident Response Plan

Cyber security incidents have increased in frequency and sophistication, and because a breach affects personal and financial information, these incidents become news stories, damaging the business and reputations of the victims, who range from government bodies and businesses to other non-governmental organizations – essentially, any owner of personal or sensitive data.

While there has always been industrial espionage and attempts to co-opt a company’s information, traditional information breaches differ from cyber-information breaches in some important ways.

For instance, reporting such incidents is mandated legally, and experts are required to effectively respond to and negate an attack.

Part of any good data governance strategy is to put a program in place to deal with breaches and attacks. Such strategies are known as cyber-security incident response plans or CSIRPs. A CSIRP includes end-to-end security issues, from planning for such incidents to cleanup and restoration.

Thus far, organizations have worked with security companies to identify ways to check and respond to these attacks quickly, effectively, and completely. However, the attacks continue to escalate, and large organizations have recognized the scale of the threat and are working on establishing best-practice-driven methods for dealing with such incidents.

Read Also: Cyber Security Startups To Watch

Types of Cyber-Security Incidents

Cyber-security incidents can take a number of forms, and to identify the time of a breach or attack, it is useful to be familiar with the types of incidents that occur. Understanding these events means that effective response plans can be developed which specifically address the different types of damage that can result.

The following is a partial list of incident types. It is important to understand that no list of this nature can be complete because one of the main challenges in the field of cyber-security is that attacks are constantly evolving, and attackers are constantly finding new methods. All new technologies bring with them new vulnerabilities.

Because of this evolution, the definition of an incident is not understood and must be evolved with technology.

Cyber security incidents as being among the following types:

  • Social
  • Hacking
  • Malware
  • Misuse

We can further define these types of incidents while recognizing that there are overlaps between these categories and that the categories themselves are not exhaustive as long as attacks continue to evolve.

Social Engineering Attacks

These are typically low-tech attacks, in which attackers take advantage of the human tendency to trust others based on superficial validating factors: for instance, the attacker who enters an organization’s premises under false pretenses by pretending to be an employee, vendor, or even a security expert.

The attacker gains access to systems and information that would otherwise be unavailable. Spoofed websites, emails, and phone numbers are included in this type of attack. Social engineering can take many forms, but the identifying feature of these infiltrations is the manipulation of well-intentioned employees to open the system to a stranger based on a false belief in a hacker’s credibility.

Hacking (incursions)

This is essentially the hijacking of a system or systems using false credentials. The credentials might be obtained through social engineering tactics – gaining the trust of employees or managers with access to the target systems – or through malware that installs itself on a system, or by tunneling into a protected system and using brute force methods to break passwords, encryption, and other protections.

However, there has been a lot of improvement in encryption algorithms since the arrival of brute force attacks, currently; many organizations are adopting the SHA-2 algorithm and ECC algorithm for better protection.

Malware Attacks

This type of attack specifically refers to using software – viruses, Trojans, spyware, etc. – to infiltrate systems and collect information. Malware can be installed through social engineering techniques or hacking, or by piggybacking on other installations.

Once installed, malware usually has two jobs to perform: to protect itself from detection, and to gather information for the attacker to use. Malware programmers have become adept at creating code that is hard to find, difficult to uninstall, and which is very good at reinstalling itself if it is removed.

System Misuse by Internal Personnel

This can be unintentional or planned, but access to systems in a large organization opens up opportunities for security breaches in many different ways. Access may not be turned off quickly enough after employees or vendors are let go, allowing malicious access by former partners. Lack of security awareness among well-intentioned employees can lead to vulnerabilities or simply passing information to the wrong people.

Poor training can lead to carelessness or exposing a system to people for whom it was never intended. A lack of policies that govern data use and exchange creates vulnerabilities as well.

Advanced Persistent Threats

APTs use a variety of methods to maintain a continuous attack on a system or company. These attacks are increasing at such a rate they deserve particular mention. They are not only dangerous in that persistence is often successful, but when such an event is identified, an organization is obliged to expend a great deal of energy and resources in resisting the incessant attacks.

Advanced Persistent Threats generally are intended to produce one of the following results: initial breach of systems, intelligence gathering, hijacking of systems, obtaining system privileges, or theft of personal or sensitive data.

APTs are of special concern also because they exploit technology that allows them to circumvent ordinary security. Often they utilize code that is written and compiled for a specific target, so there is no opportunity for experts to prepare for it based on other attacks, or for anti-virus engines to protect against it. Typically, the code is sophisticated, using multiple techniques to prevent its removal, to increase its access and privileges, and add itself to the firewall whitelist.

These are not the only ways of classifying incidents for response planning. It is also important to understand who your attackers are: whether they are small- or large-scale criminals or competitors, for instance. The reasons for incidents are also important: was an attack planned to gain information on your organization, to commit other types of criminal activity such as identity theft, or was it for revenge, publicity, or simply to prove it can be done. Is the attack meant to be broad and unmistakable, like a Denial-of-Service (DOS) attack? Or is it meant to be undetected until after the data is stolen?

Understanding the variety of attackers, attack types, and purposes will all help in designing a robust CSI response plan that will be effective for the widest variety of attacks.

Components of CSIRP

A cyber-security incident response plan, to be effective, must contain certain elements. It is important to recognize the eight stages of a CSI and establish a response for each stage: detection, identification, analysis, notification, containment, eradication, recovery, and post-incident recovery. How to implement each component depends very much on the type of organization, particularly the size and configuration of its data store and data governance policies. While implementation can vary, there are commonalities that can help guide the creation of an effective CSIRP.

The plan starts with detection. The faster the attack is detected, the more successful your organization will be in controlling the damage. The longer an attack goes on, the more likely it is to be successful, and the more information can be stolen. Detection mechanisms often include data analysis methods and analysis of logging services. Data analysis is geared toward detecting patterns and deviations, and those are the clues that will alert your security team of an attack.

The next component must be the identification of the attack and the attacker. A CSIRP should describe a number of scenarios and the different responses each requires. In order to know which response scenario is most appropriate, the organization’s security experts will classify an attack using the above criteria as well as the set of scenarios that are defined in the CSIRP.

The analysis must be performed to determine the extent of the damage and the goal of the attack; this will also help guide post-incident actions. Notification is often a requirement when personal or sensitive data is breached, but in order to provide the most accurate and appropriate information, an analysis must be performed first. A plan to notify the appropriate people can then be implemented based on the findings of the incident analysis.

The analysis, for instance, will help determine the most effective containment and eradication strategies. Although the components of a response plan are presented sequentially, and clearly containment and eradication cannot wait for the notification to be complete; these responses must be performed concurrently with regulatory compliance like notification. Again, the faster one can contain and eliminate such a breach, the less damage will result from it.

Once the incident has been contained and eliminated, the recovery process must start. Recovery can be seen as two-phased: incident recovery, which includes re-securing data and systems, and post-incident recovery, which includes plans to prevent similar attacks in the future as well as, frequently, the management and control of public relations fallout.

Build a CSI Response Plan

When creating a response plan, it is useful to think of your CSIRP in three phases: preparation, response, and adaptation of your plans from lessons learned.


Preparation is done in advance of any breach, ideally as part of your data governance strategy. For that, you will need to do the following:

  • Critically assess the current state of your organization’s security preparedness.
  • Prepare realistic scenarios of possible attacks and their appropriate responses; then validate the effectiveness of those responses through drills, tests, and rehearsals.
  • Ensure you are set up to detect attacks, which are executed on your systems.
  • Evaluate your security training, staff preparedness, data storage, and the value of your data to yourself and others.
  • Train people frequently to reinforce the concepts and the urgency of preparedness.
  • Create a data governance framework that lays out policies for data collection, validation, usage, analysis, and storage.
  • Create a dedicated security and data-governance team or department, with the expertise and resources necessary to keep your CSIRP clear, well understood, and up-to-date.
  • Continue to test and evaluate your security measures and response plans. Ensure your staff is aware of developing technologies.


Plan your response strategies and implement them immediately.

  • Identify attacks as quickly as possible.
  • Understand the goal of the response: secure the data, repel the attack, restore systems, notify stakeholders, and/or address PR issues.
  • Restore systems, data, and connectivity with confidence that the breach has been repaired.
  • Notify stakeholders and any entities to which you are legally required to report such incidents.


After an incident, hold a post-mortem as quickly as you can, while ideas and lessons learned are fresh and easy to remember.

  • Investigate the incident at a greater level of detail. Often, the response must be done so quickly that some analysis must wait until the height of the emergency is past.
  • Create a lessons-learned document, and review it with stakeholders.
  • Communicate new information to employees, and update training. Plan revised training as soon as the updated curriculum is available.
  • Update technology as appropriate.
  • Invest in filling security gaps as identified in the post-mortem.
  • Continue to monitor developments in security technologies and hacker techniques.

Main Challenges to Effective Response Plans

A number of challenges must be overcome in creating a CSI response plan and executing on it. Possibly the biggest issue is that management and employees have difficulty accepting the likelihood of an attack. Malicious and criminal attacks are difficult for ordinary people to understand or anticipate, and a data governance body must first ensure that management and employees appreciate the risk, understand the potential damage, and are willing to invest in both protection and recovery plans.

In addition, the effectiveness of response plans can be compromised by other factors like

  • A failure to identify an attack quickly enough to contain the damage effectively.
  • Inadequate understanding of the goals of eradication and recovery.
  • The complexity of attacks may mask some of the critical and most damaging components of the attack.
  • Lack of conscience in keeping response plans and training updated.

Even in a best-case scenario, an organization still has to wrestle with the difficulties of identifying the extent of a breach, confirming what systems were breached and remain vulnerable, and having a full understanding of the origin, mechanics, and perpetrators of an attack.


Security should never be an after-the-fact issue. Good up-front planning, an awareness of the CSIRP as an important component in your data governance strategy, and a dedicated team whose job it is to keep your security practices tuned up and technologically current are all critical factors. Training and consciousness-raising are also crucial. The most important concept that any organization must understand, however, is its essential vulnerability as a holder of data in a vast network. Self-knowledge is the beginning of preparedness.

Frequently Asked Questions

Question: What is a cyber security incident response plan?

Answer: A Cyber Security Incident Response Plan (CSIRP) is a set of procedures and guidelines that organizations use to respond to and manage cyber security incidents. It outlines the roles and responsibilities of different departments and individuals and specifies the steps that should be taken to contain and mitigate the incident, as well as to restore normal operations.

Question: Why do organizations need a cyber security incident response plan?

Answer: Organizations need a CSIRP to ensure that they are prepared to respond effectively to cyber security incidents, which can include data breaches, network intrusions, and other types of cyber attacks. A CSIRP helps organizations minimize the impact of an incident and minimize damage, such as reputational damage, financial loss, and legal liability.

Question: What are the components of a cyber security incident response plan?

Answer: The components of a CSIRP typically include incident identification and reporting, incident response and containment, incident recovery and restoration, and incident follow-up and reporting. Additionally, a CSIRP should also include procedures for incident communication and coordination with external partners and stakeholders, such as law enforcement agencies and regulatory bodies.

Question: How should an organization implement a cyber security incident response plan?

Answer: Implementing a CSIRP involves creating a cross-functional incident response team, assigning roles and responsibilities, and training all relevant personnel on incident response procedures. Additionally, organizations should conduct regular incident response exercises to test and refine their CSIRP.

Question: How can organizations ensure that their cyber security incident response plan is effective?

Answer: Organizations can ensure that their CSIRP is effective by regularly reviewing and updating it, conducting incident response exercises, and incorporating feedback from incident response team members. Additionally, organizations should also regularly assess their cyber security risks and vulnerabilities, and adjust their CSIRP accordingly.

Question: How do incident communication and coordination with external partners and stakeholders play a role in a cyber security incident response plan?

Answer: Incident communication and coordination with external partners and stakeholders is critical to ensure that the incident response is well-coordinated and effective. This includes communication with law enforcement agencies and regulatory bodies, as well as with customers, clients, and other stakeholders, in order to provide timely and accurate information about the incident and the organization’s response.

Question: What are some common challenges organizations face when implementing a Cyber Security Incident Response Plan?

Answer: Some common challenges organizations face when implementing a CSIRP include a lack of buy-in and support from senior management, lack of resources and funding, lack of incident response expertise, and difficulty in coordinating incident response across different departments and functions.

Ruben Harutyunyan

Back to top