Incident response planning: step-by-step emergency plan for IT security incidents

A well-thought-out Incident Response Plan enables an early and proactive response to IT security incidents and reduces potential damage. It is an absolute necessity for all organisations, regardless of size or sector. However, micro-enterprises and SMEs face the challenge of not having the same human, financial and technical resources as large enterprises.

“In today’s connected world, no one can be 100% secure,” says Philipp Trummer, Teamlead Incident Response at IKARUS Security Software: “Taking into account the existing infrastructure and the available budget, the risks have to be assessed as best as possible and the best possible solutions have to be found.” This includes preparing for an emergency by developing an incident response plan.

Benefits of an incident response plan

An Incident Response Plan helps minimise financial, organisational, and technical risks and ensures your organisation is compliant. You can reduce costs, problems, and downtime by ensuring that your organisation is able to respond quickly and with proven processes and procedures.

In addition, an Incident Response Plan can help you identify risks more quickly, address vulnerabilities early, and improve your organisation’s IT security and cyber resilience in the long term. Threat modelling, which provides a systematic analysis of an organisation’s threat and risk potential, can help you better defend against and respond to potential threats. More important than the exact replication of possible attack scenarios is the knowledge gained for the organisation and the identification of vulnerabilities and areas for improvement.

“No case has yet been identical to another,” Philipp Trummer recapitulates: “Although there are commonalities that allow for some classification, attacks are almost always a series of different techniques – as individual as the system landscape of the victim.” Individual defensive measures can therefore also make a significant contribution to securing the system.

Reference model for creating an incident response process

The six phases of the SANS Institute Incident Response Framework are often cited as a reference for creating an incident response plan. [1] They can also help smaller organisations by providing a structured approach.

1. Preparation
   This involves listing measures to respond to potential security incidents. Topics include developing policies, training the emergency response team, implementing security measures, and creating contingency plans.
2. Identification
   The aim is to detect and identify suspicious activity. This involves monitoring network activity, analysing logs, detecting anomalies, and deploying security tools to identify potential security incidents.
3. Containment
   Once a security incident has been detected, this phase involves attempting to stop the incident from spreading and preventing further damage. This may include isolating affected systems, blocking network connections, or other measures to contain the incident.
4. Eradication
   In this phase, the causes of the security incident are identified and addressed. The aim is to clean the affected system of malware, close vulnerabilities and ensure that the incident does not recur.
5. Recovery
   Once the incident has been contained and resolved, normal operations are restored. This may include restoring data from backups, updating access rights and passwords, and checking system integrity.
6. Lessons Learned
   In this final phase, all aspects of the security incident are documented and analysed. Lessons are learned from the incident to improve incident response planning, identify vulnerabilities, and strengthen defences against future incidents.

These six phases form a cyclical process that needs to be repeated to be able to respond quickly to security incidents and better position your organisation.

What should an incident response plan include?

A practical incident response plan should include clear instructions on how to handle and prioritise a security incident, and when and where to escalate. Keep the instructions as general as possible and cover your biggest risks and possible scenarios such as ransomware, insider threats, unauthorised access, loss of devices/data or phishing incidents. A subsequent test run will help uncover gaps in the plan, identify areas for improvement and consolidate knowledge.

A minimal version of an Incident Response Plan for smaller companies includes the following three main points:

1. responsibilities: Who does what and has what authority?
2. priorities: Which actions are relevant in the event of a damage and for the next steps?
3. focus: Which areas and processes are particularly important and worth protecting?

The IKARUS Incident Response Checklist for SMEs provides good guidance for the practical procedure. Where necessary, or in specific sub-disciplines, it may be useful to bring in expert knowledge. „While the attacker only has to find one way into a system, the defender has to secure countless attack vectors,“ says Philipp Trummer.

Define responsibilities and availability

To not lose any time in the event of an incident, an up-to-date contact list of all employees, partners, suppliers, and service providers should be available – even offline if access to the IT systems is not possible. List the following contacts, adapted to your business environment, with name, telephone number, email address and deputy, so that you can get in touch quickly if necessary:

• IT security officer
• Management
• Incident response team (external if necessary)
• National reporting centre
• Internet service provider
• Cloud provider
• Software provider

Also clarify any escalation levels in your IR plan. Time is critical: “The chances of fending off an attack or preventing damage are drastically reduced if you don’t take threats seriously or try to take matters into your own hands first,” Philipp Trummer knows from numerous examples: “Expert advice is sometimes essential – and again, the sooner the better.”

Useful links and documents:

Guide to Managing IT Security Incidents

IKARUS Incident Response Checklist for SMEs

First Aid against Ransomware

Sources: