Cyber security incidents can be high-pressure situations with serious consequences for both businesses and individuals alike. That stress can compromise decision making (especially when tired!) and a good cyber incident response plan helps organisations to get their response right.
Recently while working with a client on improving their blue team and incident response capability they mentioned that they hadn’t been able to find an example of a good cyber incident response plan.
That came as a bit of a surprise, but they weren’t wrong. There are ‘how-tos,’ some thinly veiled vendor pitches, and plenty of other marketing materials. Some of it is old. Lots talk at a high level about the ‘phases’ of response. Many more are just ‘plans for a plan.’
There were a few notable exceptions - for example, the NCSC incident management collection has some good pointers - though we struck out looking for an example of ‘what good looks like’ that anyone can pick up and use as a base.
Given how critical responding to security incidents is we were surprised to not find a decent template to start from. So we set about researching, distilling and compiling all the best practice, augmented from our experience responding to some of the highest-profile cyber events in recent years.
Today we’re open-sourcing that work for any organisation, business or charity, to pick up and use as a base for their own cyber incident response plan (for free!)
It’s built around an ‘OODA loop’ where feedback from an observe, orientate, decide, act cycle helps you to remain agile and adjust to unfolding situations.
Analysis of Competing Hypotheses (ACH)
We also encourage you to use the analysis of competing hypotheses, an intelligence technique, to help keep things objective and rational while emotions are heightened.
It even includes incident response checklist for each step so you can make sure that you haven’t forgotten anything.
What you need to do
First up you’ll need to spend some time on…
- Who your key contacts are, and who deputises for them
- Tailoring the severity levels and escalation criteria
- Choosing the categories that you’ll assign to incidents
There are a few other bits highlighted yellow (on the GDocs and PDF versions) where you need to add details specific to your organisation. Those things will be unique to your organisation and where you should invest your time initially. The underlying process is complete and ready to go.
Once you’ve done that it’s time to communicate your plan. Arrange a session to discuss the process and responsibilities with all involved. Then schedule some exercises to test everyone’s understanding. This can be a desktop exercise or a technical simulation. NCSC’s Exercise-in-a-Box can help you to run either of these yourself, or you can seek support from an independent facilitator.
From there you can view the project on GitHub, access and copy a GDocs version, or download a PDF copy.