Preventing cyberattacks and data breaches is a major part of every organization’s information security strategy. However, even the best prevention-based approach won’t work 100% of the time. Security leaders must be prepared to detect and respond to security incidents at any moment.

What is incident response?

Incident response is the coordinated process by which security teams detect, investigate, and manage cyberattacks and data breaches. The goal is to minimize the damage and recovery costs associated with these unexpected events.

This makes incident response part of the organization's overall risk management strategy — alongside disaster recovery and business continuity. These three terms are sometimes used interchangeably, so let’s break them down:

• Business continuity is all about keeping business operations running normally despite disruptions or setbacks. That could be a natural disaster, a planned server migration, or a cyberattack.
• Disaster recovery focuses on restoring IT functionality after sudden and unexpected disruption. That includes natural disasters and cyberattacks, but not planned downtime.
• Incident response focuses exclusively on identifying, containing, and remediating cyberattacks and the damage they cause. Natural disasters and planned downtime are not included.

Each of these three disciplines complement one another. An organization with excellent business continuity and disaster recovery plans in place will have a much easier time establishing and deploying successful incident response workflows.

Your Incident response plan outlines your detection and response workflow

In order to detect and respond to security incidents when they occur, your team needs a set of standard operating procedures it can refer to. Incident response plans are exactly that — a set of documents that outline the steps your organization takes when it detects a security incident.

Every incident response plan is different, but they typically share the following elements:

• An outline of the organization’s approach to incident response.
• Well-defined roles and responsibilities for people throughout the organization.
• A detailed series of steps for security team members to take when mitigating security risks.
• Established communication pathways between the incident response team and key stakeholders throughout the organization.
• Metrics that allow security leaders to analyze the effectiveness of their incident response capabilities.

Your incident response plan might not stop when the cybersecurity incident is over. It can also provide key guidance for your legal and compliance team, helping the organization continuously improve its security operations over time.

What steps do incident response plans include?

There are multiple incident response frameworks that break down the process into separate distinct phases. The NIST Cybersecurity Framework provides four key steps for incident response:

• Preparation. You can’t improvise an incident response plan the moment a cyberattack occurs. Preparation includes discovering network assets, categorizing their exposure to risk, and categorizing the severity of certain attack vectors.

• Detection and analysis. Once you know what to look for, you must deploy resources towards identifying incidents when they occur. You must also categorize incidents according to their severity and the type of damage they are likely to cause.

• Containment and eradication. This is where you stop the immediate effects of an active cyberattack and prevent the damage from spreading. Then, you take steps to remove the intruder from your network.
• Post-incident recovery. Everyone involved in the incident response plan should meet and share their insights about how to improve operations against future attacks.

By comparison, the SANS Incident Response Framework provides a six-step process for detecting and mitigating security incidents:

• Preparation. Similar to the NIST framework, SANS stipulates a preparation phase that includes creating a company-wide security policy, performing risk assessments, and defining priorities during an active cyberattack.

• Identification. Monitoring IT systems to detect unauthorized activity is a separate step in this framework. It includes investigating and documenting security events when they occur.

• Containment. This step is broken up into two phases. Short-term containment involves isolating the network segment under attack. Long-term containment means fixing or rebuilding affected systems so they cannot be compromised by the same type of attack.

• Eradication. When security teams remove malware from impacted systems, identify the root cause of the incident, and fortify systems against future attacks, they are carrying out the eradication step.

• Recovery. This is where security and IT personnel bring impacted systems back online, usually in gradual steps with careful monitoring to ensure the threat is actually gone.

• Lessons learned. The entire team conducts a retrospective review of the incident no more than two weeks afterwards. The incident is comprehensively documented so that stakeholders can identify areas for improvement.

Each of these frameworks covers similar ground, but in a slightly different way. Your organization may choose one or the other (or combine parts of each) depending on its own unique security needs.

Your incident response plan reflects your organization’s strategy and values

Cyberattacks and data breaches are not just security problems. They have deep and wide-ranging impacts across the entire organization. The way your organization responds to security incidents says a great deal about your brand, your values, and your priorities.

Consider some of the different ways an organization might fumble its response to a security incident:

• The company may have known about the vulnerability well in advance, but failed to act on it — like today’s victims of the log4j exploit that made headlines two years ago.
• Executives might try to protect themselves from financial fallout by selling stock before the incident is disclosed — like several Equifax leaders in 2017.
• Security leadership may try to downplay the impact of the breach, or even hide it entirely — like the 2016 attack on Uber.
• You might work tirelessly to find and patch critical security vulnerabilities, only to introduce new flaws that attackers immediately begin to exploit — like the 2024 ConnectWise cyberattack.

On the other hand, an organization with robust security policies, a well-established culture of public transparency, and a deep commitment to operational security excellence may sidestep these risks entirely. 

One of the goals of incident response is minimizing damage. Organizations earn their users’ trust by preventing them from becoming victims of cyberattacks. Highly capable incident response is a key component of good overall risk management.

3 common challenges to implementing incident response plans successfully

Security leaders already agree that having a structured incident response plan in place is a good thing. Yet research suggests more than a third of organizations do not have one in place.

No one is arguing that improvising an ad-hoc response is better than planning one out in advance. Instead, many organizations face steep challenges to implementing a robust incident response plan that aligns with their overall risk management strategy.

Here are some of the reasons why:

The sheer volume, frequency, and diversity of cyberattacks

Cyberattacks are occurring with increasing frequency, with some reports claiming as many as 2200 individual attacks per day. These include everything from technical SQL injection attacks and ICMP flood distributed denial-of-service (DDoS) attacks to phishing scams and insider threats.

MITRE ATT&CK counts more than 180 different subtechniques grouped into 14 individual attack categories. That is an enormous number of contingencies for your incident response plan to address. 

Resource constraints and lack of expertise

Many organizations don’t have the dedicated in-house security expertise necessary to build and maintain a complete incident response plan. Onboarding new security personnel for the purpose may be outside even the most optimistic budget forecasts.

This is particularly true for small and mid-sized businesses, but even large enterprises have trouble keeping security teams focused on building proactive security strategies and incident response plans. Often, in-house security teams are already stretched thin responding to a constant barrage of security alerts.

1. Inadequate visibility and context

When incident response team members receive a security alert, it can be hard to understand the severity of the event without any context. That makes it hard for incident responders to accurately diagnose and prioritize the issue. Without visibility and context, they might spend hours analyzing minor issues while ignoring potentially catastrophic security incidents.

Incident response teams need unlimited visibility and in-depth context into the alerts they process. That means building a security operations center equipped with solutions for automatically prioritizing incoming alerts and escalating high-severity issues quickly.

Extend your security team’s incident response capabilities with Lumifi

Building and operating a world-class security operations center is no easy task, but it’s vital for enabling incident response teams to successfully detect and respond to threats.

Not every organization needs to develop in-house incident response capabilities. Even achieving 24/7 security event coverage can cost more than $1.2 million per year, and expanding that coverage to include robust incident response only increases the price.

Consider making Lumifi your emergency incident response partner, entrusting our team of diligent, highly trained US-based analysts to conduct 24/7 alarm monitoring and response from our SOC II Type 2-certified security operations center. Find out how we can help you develop comprehensive incident response playbooks for the threats your organization faces today.