Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


What is Incident Response? A 6-Step Plan

Data Security

Incident Response 6-Step Plan

“We don’t rise to the level of our expectations, we fall to the level of our training.” – Archilochus

Incident Response is the art of cleanup and recovery when you discover a cybersecurity breach. You might also see these breaches referred to as IT incidents, security incidents, or computer incidents – but whatever you call them, you need a plan and a team dedicated to managing the incident and minimizing the damage and cost of recovery.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Some organizations call this team the Computer Security Incident Response Team (CSIRT) – there are other permutations of that acronym out there like Security Incident Response Team (SIRT) or Computer Incident Response Team (CIRT). The mission of this team is the same no matter what you call it – to enact the company’s established incident response plan when the bat-signal goes up.

You do have a company approved incident response (IR) plan, right?

Importance of Incident Response

If you work in data security, you deal with security incidents on a day-to-day basis. Occasionally, a minor security issue turns out to be a real live panic situation. When the bat-signal does light up will everyone know what to do? Will every CSIRT member know their role and responsibilities and follow the approved plan?

When the stakes get high and the pressure intensifies, the CSIRT will perform as they have practiced. If there’s no plan in place, there’s no guarantee they’ll be able to properly respond to a cybersecurity incident. The IR plan defines how to identify, contain, and manage data security incidents.

However, simply having an IR plan isn’t enough: the CSIRT team needs to run practice scenarios so they are adequately prepared for the real thing.

On top of all that, there is often a time crunch. Data breach notification laws are becoming more common: the GDPR, for instance, requires that companies to report data security incidents within 72 hours of discovery. California and Colorado are enacting similar rules in the US, and that trend is likely to continue.

6 Steps to a Successful Incident Response Plan

Incident Response Plan

SANS published their Incident Handler’s Handbook a few years ago, and it remains the standard for IR plans. It’s a 6-step framework that you can use to build your specific company plan around.

  1. Preparation: Your CSIRT needs to perform like a finely tuned machine when the time comes, and that takes work. Define a corporate security policy: this typically includes acceptable use of company data, consequences for security violations, and definitions on what qualifies as a security incident. Define a step-by-step guide of how the CSIRT should handle a security incident, including documentation of incidents and both internal and external communications.
  2. Identification: Define what criteria activates the CSIRT. It could be a specific kind of issue – like “found a random USB drive on the floor” or a Varonis DatAlert “Brute Force Attack Detected” that triggers the IR plan. It could also be a cumulative set of circumstances that trigger the plan: for example, an abnormal access alert combined with an alert on an unusual upload to a cloud storage site in the same hour might be a trigger.
  3. Containment: Contain the threat. There are two types of containment: long and short. Short-term containment is an immediate response, stopping the threat from spreading and doing further damage. Back-up on all affected systems to save their current states for later forensics. Long-term containment includes returning all systems to production to allow for standard business operation, but without the accounts and backdoors that allowed for the intrusion.
  4. Eradication: Establish a process to restore all of the affected systems. A good starting place is to reimage all systems involved in the incident and remove any traces of the security incident. These steps should include the specifics about the disk cloning software and images your company has validated. Lastly, update your defense systems to prevent the same kind of security incident from occurring again.
  5. Recovery: Determine how to bring all systems back into full production after verifying that they are clean and free of any nastiness that could lead to a new security incident.
  6. Lessons Learned: Review the documentation of the incident with the CSIRT for training purposes. Update the IR plan based on feedback and any identified deficiencies.

Who is Responsible for Incident Response?

Incident Response

Whatever you call your CSIRT team, they need to be a well-rounded team of professionals. They could be full-time security practitioners, or may have other job responsibilities in the organization and their assignment to CSIRT is a secondary role.

Some of the roles on a CSIRT team are:

  • Incident Response Manager: The lead of the CSIRT team that oversees the IR plan in action.
  • Security Analysts: The ground troops responsible for threat neutralization and containment of an active security incident.
  • Threat Researchers: The team responsible for providing research and intelligence to add context to the security incident. They often search for other incidents and analyze logs for other hints and clues about the incident.

In addition to the primary roles, you may want to include some cross-functional support from other areas of the company:

  • Management: The management team provides resources and buy-in to the CSIRT team and IR plan.
  • Human Resources: HR is often brought in to support the CSIRT efforts if an employee is involved.
  • General Council: Compliance and regulation are an integral part of data security, so get the lawyers involved – possibly as part of the full-time team. You might also have a full-time compliance officer fulfill this role.
  • Public Relations: PR can help manage communications after an incident, especially now that data breaches need to be public information so quickly.

What to Do After a Cyber Incident?

The dust settles, the bad guys are defeated, and the CSIRT team followed the IR plan to the letter. What next? Take stock and resupply for the next encounter. Re-run vulnerability and risk assessments and close any new gaps in security.

Tighten up the IR plan or add new forensics or monitoring. Implement the full Varonis Data Security Platform to add best-in-class data security analytics for advanced warning and behavioral analysis of all your data.

Varonis Powers Up a CSIRT

Varonis monitors your data, VPN, DNS, email, and more to catch cybersecurity threats before they become data breaches. Our threat models detect behaviors that match known attacks across the cybersecurity kill chain and warn on deviations from normal behavior patterns. It would take months (or likely years) for a CSIRT to code comparable threat models on their own.

Varonis enables teams to visualize security threats with an intuitive dashboard and investigate security incidents – even track alerts and assign them to team members for closure. You can even incorporate rich context and data security intelligence from Varonis into your favorite SIEM for better breach detection.

Get a 1:1 demo to see how customers use Varonis as part of their incident response strategy – it’s a game changer for incident response.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.