How to build an effective cyber attack response plan

The incident response lifecycle is based on a number of steps

Add bookmark

James Bore
12/27/2023

When a cyber security incident is in progress – and everything is metaphorically (or literally, if you’re really unlucky) on fire – is not the time to try and build a response plan. Various types of plans come together to truly build an effective plan for a malicious cyber attack.

Incident response planning prepares you to react and contain an incident quickly and activate other plans.
A business continuity plan will hopefully allow you to keep operating at some level.
Disaster recovery will prepare you to return to normal operations afterwards.
You may even have a crisis management plan in case your incident response plan fails.

Your cyber attack response plan pulls all these different threads together to give you straightforward steps to follow in the event of an incident. Again, while everything is on fire is not when you want to be trying to pull a plan together.

Starting out

A good start is to carry out a threat modelling exercise against your organization, examining the threats that exist, the assets they could threaten and the capabilities you can bring to bear. Even better, this exercise can be used to improve your security by applying countermeasures. No matter how good you think your defenses are though, you need a plan for when they fail. That’s the next step.

Decide roles

Once you know the assets, whatever they may be, you can start laying out roles. These need to be clear and unambiguous, with any critical roles identified with backups. Ideally these should refer to roles rather than individuals, but where individuals are needed, escalation paths should be in place in case of unavailability.

Along with the roles, the responsibilities and authorities of each need to be clearly defined. Who can call an incident? Who can activate the business continuity plan? Who can authorize any external or internal communications and who will liaise with authorities or regulators as needed?

The clearer your list of roles and responsibilities, the less space there is for error and miscommunication during what is bound to be a very stressful incident. You’ll also want to include external roles and the emergency contacts you might need from your insurance company, to law enforcement, to consultants.

As an added option, where important decisions need to be taken by a single person and cannot be delegated to other roles, you can instead have the person state conditions or thresholds. An example is whether a ransomware payment can be made, and how much for, or whether a warm backup site can be activated based on downtime length.

Build the plan

At this point you can start putting together your cyber attack response plan. The other planning provides the necessary building blocks, and this one ties them all together.

Based on the threats you determined to start with, work through each along with the assets that could be compromised. Work out investigation steps to determine the extent of any damage, the best ways to contain and minimize impacts, how to safeguard your business continuity plans once they’re in operation and how (and of course when) an attack would be declared over so that recovery can begin.

The incident response lifecycle is based on a number of steps: preparation, detection, analysis, containment, eradication, recovery and lessons learned. Putting together your plan is the preparation, and an incident around an attack will only be triggered by detection, so we can skip that. The other steps to recovery we’ve covered.

Test and learn

Finally, after any incident, look back at what was done well, what was done poorly and learn lessons to improve for next time (hopefully it will never come, but better to be prepared). This is a vital step and cannot be skipped.

One useful tool to deal with much of this is to run through tabletop scenario exercises based on the threats you identified, or bring in third parties to provide a different perspective to build further plans. The steps of running through an attack, even in theory, can help you build plans or identify holes in existing ones.