How to Plan for Incident Response in Your Organization

February 4th, 2015 by Menachem Perlman

Plan for Incident Response imageBelow is an Incident Response Plan and the basic steps that you should take when you are preparing for, and responding to a breach on your network.

If you would like a downloadable PDF version, just let us know.

We can divide incident response to 6 main steps:

  1. Preparation: get ready to handle an incident by having a CSIRP ready
  2. Identification: detect the incident
  3. Containment: limit the impact of the incident
  4. Remediation: remove the threat
  5. Recovery: recover to a normal stage
  6. Aftermath: perform a retrospective and improve the process
  7. Incident Response Steps


  • Have an updated Computer Security Incident Response Plan (CSIRP) to
    • Save time during incident
    • Have a pre-approved methodology
    • Define an incident communications structure
    • Gather appropriate resources
  • Set aside budget for incident response emergencies

After the incident is identified

1. Identification: Gather the necessary information and understand which of your tools you will need to use to understand what happened.

  • Quickly try to identify exactly what happened. For example:
    1. Where did the incident occur?
    2. Who reported or discovered the incident?
    3. How was it discovered?
  • Determine whether the incident is limited to one endpoint or if it has spread on the network. Look at network configuration details and connections. Make a note of anomalous settings, sessions or ports. Note changes that have been made to systems lately or changes made by unauthorized users.
  • Look at the system and application logs for unusual events.
  • Check the list of users for different accounts and make sure that only these users have access. Disable any non-relevant and unknown users.
  • Decide what type of incident has occurred (data theft, insider threat, a hacked network where damage still hasn’t occurred) and the scope of the business impact.
  • Look at the existing processes or files and check for those that are not familiar.
  • Compare hosts inside the network to look for processes or files that do not belong to your network.
  • Look for unusual programs configured to run automatically on system start.
  • Check ARP and DNS settings, and check for host file form entries that are not standard in your organization.
  • Use either a local or external network sniffer to identify unusual activity.
  • Examine recently-reported problems, intrusion detection and related alerts.

2. Containment and eradication: Contain the incident to minimize its effect on neighboring IT resources and eliminate compromised artifacts

  • Think out-of-the box and create a fast workaround to contain the suspicious endpoint by isolating it.
  • Make sure you have the right tools to take care of the event.
  • Give permission to relevant parties so that they can handle the event.
  • Make sure you have the best security experts on your team that can handle this incident.
  • In order to retain attacker’s footprints avoid taking actions that access many files or install new tools.
  • Don’t be afraid to take action: get pre-approval to respond effectively in order to effectively stop damage. Waiting = data loss and destruction.

3. Recovery and Aftermath: Document the incident’s details, retain collected data, and discuss lessons learned

  • Restore data from backups.
  • Prepare a checklist with additional space for notes, dates and times, and other pertinent information.
  • Make sure you have the right tools for continuous, ongoing monitoring of your network.
  • After you believe the incident has been resolved, continue to continuously monitor the network and the infected host for suspicious activities, in the event that something has remained in the network.

Make sure that your team is continuously trained to handle new and unknown security incidents

Responding to the evolution of cyber threats

Subscribe to this blog

Leave a Reply

Your email address will not be published. Required fields are marked *