Webinar: What's New in Graylog 6.0? | Watch On-Demand >> ​

5 Best Practices for Building a Cyber Incident Response Plan

You’ve probably heard the Boy Scout motto, “be prepared.” In his 1908 handbook, Scouting for Boys, the author explained, “it shows you how you must be prepared for what is possible, not only what is probable.” Your cyber incident response plan is how you prepare for a possible, and, also in today’s world, probable security incident or data breach. Unfortunately, since every organization is different, no single plan will work for everyone.


However, by following some best practices when you build out your cyber incident response plan, you can implement processes that streamline investigations to mitigate both possible and probable risks.


What is a cyber incident response plan?

A cyber incident response plan outlines the processes that the organization’s cybersecurity incident response team (CSIRT) follows once it detects an attack or data breach. Although the National Institute of Standards and Technology (NIST) and SANS Institute organize their suggestions differently, both agree that the response process should include policies and procedures for:

  • Preparation: training security analysts and defining how to test processes
  • Identification: collecting security information from across the environment and building alerts that identify abnormal activity
  • Investigation: tracing the malicious activity to identify compromised assets and identify the malicious actor
  • Containment: creating short- and long-term strategies that prevent further damage
  • Remediation: identifying the incident’s root cause,, removing malware, hardening or patching systems
  • Recovery: restoring affected systems to their previous state and reintegrating them into the business environment
  • Lessons Learned: analyzing the incident response process to identify areas of improvement

A clearly communicated incident response plan is critical to an organization’s cyber resilience. By defining discrete steps across all response activities, the plan enables security teams to reduce business disruption and mitigate operational impact arising from security incidents.

Why an incident response plan is important

The faster you can eradicate an attacker from your environment, the less damage your company experiences.

Reduced Business Disruption

Since cyber attacks target sensitive information, they often impact critical systems. Without these systems, your employees won’t be able to do their jobs and customers won’t be able to access resources.

Reduced Data Breach Costs

The longer attackers linger in your systems, the more damage they can do. When you have a consistent set of processes for responding to attacks, you can contain the attackers more rapidly. In doing this, you limit the number of systems they impact, ultimately reducing overall recovery costs.

Reduced Compliance Risk

Most compliance mandates require an incident response plan, so not having one could be viewed as a violation. Further, if the attack impacts personally identifiable data (PII), then having a set of processes for detecting and mitigating risk helps you notify users within required timeframes and limit the number of affected parties.

Reduced Reputation Risk

Customers work with companies that they trust. In the wake of a cyber attack, how you communicate with customers can be the difference between building trust and losing business. Your incident response plan should incorporate how you plan to communicate with affected parties, including the information that you make public. Further, since you can restore service availability faster, you reduce the attack’s disruption to customers for a better user experience.


5 Best Practices for Building a Cyber Incident Response Plan

Since every business has a different risk profile and technology stack, you need to develop an incident response plan that’s unique to your needs. However, as you build your incident response plan, you can follow some best practices to make it effective.

1.   Assign Roles and Responsibilities


Cyber attacks disrupt IT services, but they’re more than just technical issues. Attacks impact everyone across the organization, so you should define the following roles and responsibilities:

  • IT Team: assessing severity, investigating incident, containing attack, recovering impacted systems, tracking and documenting activities
  • Human Resources: communicating with employees whose data has been impacted
  • Marketing or Communications: communicating across social media and responding to media requests
  • Senior Leadership: monitoring ongoing business impact and reviewing post-incident reports
  • Customer Support: handling incoming support tickets and updating customers during the incident


2.   Centralize the Incident Response Process

With a centralized log management solution, you can more effectively correlate and analyze information from across your environment. When you’re responding to an attack, logging into multiple tools slows down your investigation, giving attackers more opportunities to hide in your systems and networks. With all your monitoring and investigation in a centralized location, you can build workflows and processes that streamline activities, enabling you to contain, eradicate, and recover from the incident faster.

Additionally, when you have all technical response activities aggregated in a single location, you can coordinate information sharing across everyone who needs it. By giving everyone access to only the information they need, you maintain a coordinated response across otherwise siloed groups.

3.   Identify Attack Scenarios

When you plan for the possible and the probable, you consider the various ways that attackers can compromise your systems and networks. Some examples of attack scenarios might include:

  • Malicious insiders
  • Credential-based attacks
  • Vulnerability exploits


When you define what could happen, you know what to look for and can monitor for those activities.

Additionally, you can establish processes and workflows that help you investigate incidents related to these scenarios. When you create pre-built investigations using parameterized searches, you can more rapidly contain, eradicate, and recover from the incident.

4.   Create High-Fidelity Alerts

When you know the attack scenarios, you can build high-fidelity risk-based alerts. Detection is the first stage of the incident response process. If you have the most precise alerts possible, your security team can focus on the heavy lifting of investigation.

For example, you might want to build sigma rules that help you detect a supply chain attack.

When you centralize your incident response activities in a single location, your team can align the alerts and investigations in the solution. With all activities taking place in your centralized log management solution, your team members can collaborate and coordinate activities.

5.   Define Reporting Requirements

You should have well-defined processes for reporting to management after you recover impacted systems. As part of reviewing your incident response plan’s effectiveness, you should have metrics for how quickly and effectively you:

  • Detected the incident
  • Investigated the incident
  • Contained and eradicated the attacker
  • Recovered systems


If you build dashboards in your centralized log management solution, you can provide easy-to-understand reports that show:

  • When logs documented changes: indicating the start of the event
  • What types of changes they documented: what the threat actor was attempting during the incident
  • When they stopped reporting the activities: showing that the threat actor is no longer acting in the system

Graylog Security: Lightning-Fast Search for Rapid Incident Response

With Graylog Security, you can centralize all activities and communications needed to implement a strong incident response plan. Our advanced anomaly detection and security analytics enable you to build high-fidelity alerts to kick off your incident response process effectively and efficiently. Designed to parse terabytes of data in seconds, Graylog gives you the speed you need to investigate a security incident’s root cause faster, helping you reduce key metrics like Mean Time to Investigate (MTTI), Mean Time to Contain (MTTC), and Mean Time to Recover (MTTR).

Built for collaboration, Graylog’s management capabilities mean that you can give everyone across the organization the information they need to communicate across internal and external stakeholders.

To learn how Graylog Security can help you build a better incident response plan, contact us today.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.