13 Steps to Incident Response Success

Posted by Vito Nozza on Oct 28, 2021 10:00:00 AM

I’ve been known to use quotes to inspire or strengthen my message, so here goes: “The sky is falling, the sky is falling” (The Remarkable Story of Chicken Little, 1840). Believe it or not, this Chicken Little quote has significance to businesses: If you are not ready for incidents, individuals will go into a panic and act like the sky is falling. Preventing this is the main focus of an incident response plan (IRP), which takes control of events that could cause catastrophic harm to your organization in advance so that you do not panic when they actually occur.

We’ve discussed the value of a business continuity plan and a disaster recovery plan in prior blogs. However, an incident response plan must also be given complete attention and follow several steps in order to be successful. What is the procedure to ensure that all roles and responsibilities are understood, acknowledged, and ready for action in the case of an event? Let’s look at 7 steps that are required to create a plan that will keep your business running smoothly should an incident occur:

  • Establish an incident response team. Gather business unit leaders or assigned individuals who can represent the various stakeholders during a crisis. Make sure there is an executive champion leading the charge so that all will follow.

  • Analyze potential threats. Using your business continuity plan, gather all assets that are critical to your business. From there, conduct a threat analysis of possible events/scenarios that could affect your company. These could be malware attacks, DDoS events, or even ransomware attacks that have crippled your operations.

  • Outline response guidelines. Once scenarios have been established and leaders have participated in the threat analysis, you are ready to create your guidelines.

  • Prepare your external response. As we all know, nothing exists in a bubble. Ensure that external communication guidelines are established with law enforcement, PR firms, and possibly first responders.

  • Train. Once scenarios are approved, train employees on their assigned roles for when events occur.

  • Test, test, and re-test the incident response plan(s). Even if they worked the first time, things change and the tests should be altered accordingly. Adaptability is key.

  • Learn from the scenarios and your risks. As your response plan changes, ensure everyone is updated on the modifications.

Great news: Your incident response plan is now set. Leaders have been informed and are on-board, and all employees are prepared for what might come next. Let’s go over 6 steps that should be followed during times of an event:

  • Detection. Hopefully, you already have a proper managed detection and response program or a Security Incident and Event Monitoring (SIEM) tool that indicates when an event or possible compromise has been detected. Therefore, you have now detected an event that is outside the normal traffic patterns.

  • Analysis. Your team analyzes the event to confirm that there is in fact an incident taking place that could affect ongoing operations. Now, I’m not talking about Bill being unable to access the web, but rather a slowdown in services that affects all operations.

  • Containment. This allows you to mitigate any further loss and segment the attack from leaving a specific area or sector. It also gives your experts or external forensic investigators time to collect data, tag it, and extract the information carefully to dissect/investigate later in a lab.

  • Eradication. Now’s the time to extinguish the threat so that there are no further risks to your ecosystem.

  • Recovery. This is the time that you either bring compromise-free services back up or you enact your disaster recovery plan and retrieve backup data from your secondary sites and/or the cloud.

  • Lessons Learned. This final step is one of the most important. It allows the incident response team to meet after the event is under control and no longer a threat. Discussions will be around what happened, how the incident response plan performed, and what lessons were learned so that a repeat of the event does not occur.

At ConvergeOne, we are helping clients across various verticals to create, implement, practice, and execute incident response plans. For the many who do not have the capabilities to run these plans on their own during an event, ConvergeOne can provide a retainer for a team to assist at a moment’s notice. Forensic investigation teams are also available, should the breach become a legal or regulatory issue.

This final blog installment for Cybersecurity Awareness Month highlights the reality of what happens when you fail to create an incident response plan—and what the repercussions could be for your company. Remember, you never want to be like Chicken Little. Even if it feels like the sky might be falling, you can remain as cool as a cucumber if you’ve prepared.


22 Cybersecurity Tips for 2022 White Paper

As you prepare for 2022, you should prioritize building a cyber-aware culture within your organization and proactively follow a number of steps to keep your information and people protected from cyber-attacks. Download this ConvergeOne white paper to receive all 22 cyber tips to get your organization started.


Topics: Security, Cyber Security, Cyber Awareness, Disaster Recovery, Cyber Recovery, Business Continuity


Vito Nozza
Vito Nozza  -- Vito Nozza is the Principal Consultant, Cyber Security Lifecycle Consulting in ConvergeOne’s National Cyber Security Practice. His career spans 20+ years in Enterprise Architecture, with 15 years specific to Cyber Security. He has held roles as a CTO, Director, Principal Architect and Global Security Advisor, which have all led to establishing guidance and consultative measures to SME and Enterprise-grade entities. Vito has been paramount in establishing cloud security, guided frameworks and disaster/incident response plans, with overall GRC and ERM goals.