InfoSec Insider

3 Guideposts for Building a Better Incident-Response Plan

Invest and practice: Grant Oviatt, director of incident-response engagements at Red Canary, lays out the key building blocks for effective IR.

The COVID-19 pandemic has highlighted the pressing need for security organizations to implement a structured, detailed and well-practiced incident-response plan. While the walls of organizations have extended from corporate offices to employee living rooms, security-control effectiveness has attenuated over a workforce of home networks and unmanaged assets.

To add insult to injury, ransomware operators have opportunistically jumped into action to capitalize on this expanded organizational footprint. A concert of increased threat activity and reduced visibility makes it vital for organizations to invest the time in developing an effective incident-response plan to reduce business impact in the event their organization experiences significant compromise.

To that end, let’s discuss the key building blocks to building and testing an effective incident-response plan.

Key Building Blocks for Effective Incident Response

The main goal of an incident-response plan is to minimize business and operational impacts from a security incident, of course. While of critical importance to an overall security program, IR plans extend beyond developing effective security monitoring to keep threats at bay, like increasing security operations center (SOC) automation and alert management, and they assume a post-compromise state to describe how an organization responds holistically when a malicious threat actor is cohabiting a network environment.

Security controls are essential components to a meaningful defense strategy, but are not substitutes for investing in an IR plan to address a significant cyber-event. Overall, the planning process gives organizations the space to assess their program, build relationships with third-party vendors, and establish their response before a potential breach to maximize decision quality instead of settling for decision speed.

1: Assessing Your Program

One of the core elements to building a quality incident-response plan is candor. It requires objectively evaluating time-sensitive use cases that arise from a security incident and determining if your current bench is up to the task. Key questions to ask include:

  • In the event my security team is notified of malicious activity, do they have the skills, training, tools and process to effectively investigate, document and communicate an incident to internal stakeholders?
  • Does my organization have the ability to quickly respond and remediate active threats?
  • When would we invoke our incident-response plan? Are there specific public disclosure or reporting requirements for my organization?
  • Do we have the appropriate internal and external communication plans in place as threat activity escalates in an environment?

It’s important to note that being great at incident management doesn’t mean doing it all yourself. Asking the hard questions guides organizations to building the right internal or external relationships, skills and processes to be fully equipped for an unwanted guest.

2: Building Bridges to Partners for Better Outcomes

Evaluating core use cases during a response event will guide the planning process to the next phase; Relationships.

Managed security services and incident-response partners can help bolster gaps identified on your security bench, but incident management extends beyond information security to incorporate legal counsel and even the executive team.

Infosec Insiders Newsletter

Many organizations struggle with timing when it comes to internal and external communications during an incident. Fostering a collaboration between information security and corporate legal partners will help organizations diminish escalation uncertainty for a higher quality response. Remember, incident-response plans are not just about the bits-and-bytes, but about minimizing overall company risk which includes defining messaging, law-enforcement escalation and abiding by industry disclosure requirements.

It also helps if companies have key contacts for emergencies, an escalation criteria that determines the severity or priority of an incident, a way to track the entire process and at least one conference number that is always available when needed.

3: Testing the Process

If the three “Ls” of real estate are “location, location, location,” the three “Ps” of incident-response plans are “practice, practice, practice.” Incident-response plans require executive sponsorship, legal counsel coordination and information-security response for effective execution.

The best plans are the ones that are regularly tested through tabletop exercises with all stakeholders participating with regular updates based on exercise findings, threat landscape changes, and NIST and MITRE ATT&CK guidelines. The highest-quality decisions around incidents are always made before being in the heat of battle.

The Bottom Line: Be Invested

A good incident-response plan requires all stakeholders to be invested, and to have consistent practice, and will ultimately make it easier for organizations to minimize business impact. High-quality decisions detailed in your response plan lead to reduced incident costs, as the consequent losses of cyberattacks or non-compliance are much higher than investing in the right program, relationships and processes ahead of time.

Grant Oviatt is director of incident-response engagements at Red Canary.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.


Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus.

Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at

Suggested articles