July 6, 2021
9 Keys to Incident Response Readiness

Cybercrime poses a serious threat to organizations in all industries. Despite numerous warnings and high-profile data breaches, the state of readiness is dismal. According to IDG Research, nearly 80% of senior IT and IT security leaders believe their organizations lack sufficient protection against cyber attacks.

By 2025, it is estimated that cybercrime
will cost businesses worldwide $10.5 trillion annually
Cybercrime Magazine: Cyberwarfare in the C-Suite

FBI Director Christopher Wray recently told lawmakers the threat of ransomware “is increasing almost exponentially.” The federal government, he added, is currently investigating “100 different ransomware variants, and each of those 100 has dozens, if not hundreds of victims.”

The scale of attacks is escalating. Russia-linked cybercriminal gang REvil leveraged Fourth of July Weekend to exploit Kaseya’s cloud-based IT management and remote monitoring software, hitting managed service providers (MSPs) and their customers in the biggest global ransomware attack on record.

Incident Response Stats
Incident Response Stats
Cybereason Ransomware: The True Cost to Business

Effective cybersecurity requires proactive prevention strategies to be combined with incident response readiness. Motivated attackers will find a way in; the damage they cause depends on your level of preparation.

Establishing Readiness

When it comes to incident response, security teams tend to be overwhelmed and underprepared. A recent report found nearly one third—29%—don’t even have a formalized information security strategy, and 49% lack adequate tools (including staff and expertise) to detect or respond to cyber threats.

Effectively coordinating activities and resources under the intense pressure of an attack requires careful planning, and a solid understanding of your team’s knowledge and capabilities. Every second lost making decisions or awaiting information delays containment and recovery, while the incident continues to chip away at your brand.

The average total cost of a data breach for companies with an IR team that also tested an IR plan using tabletop exercises or simulations was $3.25M, compared to $5.71M for companies with neither an IR team nor tests of the IR plan.
IBM Security & Ponemon Institute Cost of a Data Breach Report 2021

Many organizations have established IR plans, but struggle to keep them up to date. To protect your business, you need to continually assess, review, and revise your incident response (IR) plan.

Nine best practices can set you on the path to more effective incident response:

  1. Optimize your team: Without the right people in place, security policies, processes and tools will be of little help. Your IR team should be a cross-functional group of people representing major business units including IT and security, operations, legal, HR and public relations. At least one of these roles should be at the executive management level. You may need onsite staff support in certain cases; team members living close to the office can be an asset.
  1. Define roles and responsibilities: Efficiency is vital when an incident occurs. Document specific roles and responsibilities so each team member’s purpose is defined, and expectations are clear. At a minimum, you should include these roles and responsibilities in your IR plan:
  • Incident Manager: The incident manager has the overall responsibility and authority during an incident. They act as a central point of contact, and coordinate and direct all facets of the incident response effort.
  • Technical Lead: The technical lead is typically a senior technical responder responsible for providing incident insight, deciding on changes, and overseeing the technical team.  They provide expertise in areas such as system and network administration, intrusion detection, and forensics.
  • Corporate Lead: The corporate lead is a business management representative that can liaise with various departments and help with legal, contractual, and compliance elements during the response process.
  • Communications Lead: The communications lead oversees communications, developing public relations plans and sending internal and external communications about the incident.
  1. Improve cyber hygiene: Shoring up basic security practices reduces the risk of a successful attack. Identify and document your IT infrastructure, including all hardware, software, and applications, paying close attention to critical assets. Strengthen patch and configuration management, enable multi-factor authentication, and perform risk assessments, controls reviews and penetration testing to guide remediation efforts. Make sure backups are being conducted in accordance with policy, and perform frequent tests with different systems to ensure the solution works. Run failover tests annually, and retest when major system changes are made.
  2. Develop playbooks for probable attack scenarios: Your IR plan should address the whowhatwhenwhy and how of responding to security incidents and confirmed data breaches. Develop playbooks or “action plans” that address multiple scenarios and rehearse them with tabletop exercises to ensure your team is familiar with the plan, and has the confidence they need to put it into action. It may not be possible to develop a plan for every incident, but common events such as ransomware, phishing and third-party compromise should be covered.

IR Playbook Workflow

  1. Leverage automation: Tools that use artificial intelligence, machine learning, analytics and automated orchestration can increase visibility into your network and have a dramatic impact on your efforts. According to the 2021 Cost of Data Breach Report, companies that did not deploy security automation experienced higher average breach costs and took much longer to identify and contain a breach than those with these technologies fully

Security Automation Saves Millions
Average total cost of a data breach by security automation level [Measured in US$]

Source: IBM Security & Ponemon Institute 2021 Cost of Data Breach Report

Security orchestration and automation (SOAR) solutions often include pre-built playbooks for phishing, malware, ransomware and other common use cases based on industry standards (such as NIST and SANS) and best practices. Implementing SOAR promotes critical capabilities:

  • Connect point solutions and define incident analysis parameters and processes
  • Automatically trigger specific workflows, tasks, and triages
  • Accelerate response by providing analysts with a single view to access, query and share threat intelligence
  1. Conduct Security Awareness Training: According to Verizon’s 2021 Data Breach Investigations report, phishing increased 11% in 2020, and 85% of successful attacks involved human interaction. You can’t automate intuition. Establishing an effective awareness training program for your overall employee population along with specific training for incident responders will advance your readiness efforts. Resources like theSANS Security Awareness Maturity Model—which was developed through the coordinated efforts of over 200 awareness officers—can help you identify how mature (or immature) your program is, and where you can take it.
  2. Adapt processes to the cloud: Cloud misconfigurations are a frequent source of data breaches. While cloud environments can help reduce complexity and speed response to incidents, migrations need to be carefully planned. Half of CISOs in a recent survey reported their organization’s desire for growth and rapid digital transformation has become detrimental to achieving data security in the cloud. The right expertise is important; professional assessments can provide insight into the governance, visibility, and responsibility considerations involved in effectively adapting your IR processes to the cloud.
  3. Operationalize network isolation and micro-segmentation. Create virtual local area network (VLAN) silos that separate assets, so your network doesn’t become a virtual playground for attackers. Micro-segmentation limits network traffic between workloads based on a Zero Trust approach, helping you reduce the network attack surface, improve breach containment, and strengthen regulatory compliance. It has the added benefit of making architecture upgrades and maintenance easier for staff.
  4. Bring in experts: Rapid detection and response is critical, and you may not have the in-house resources to ensure 24x7x365 readiness. An incident response retainer guarantees quick access to experts for expedited response as well as notification and proactive services to minimize the impact of security incidents.

Getting Started

Every organization’s IR plan depends on specific needs. Understanding the current state of your incident response readiness is a critical first step. Professional, vendor-independent assessments can help you evaluate your incident response program—including team roles and responsibilities, security policy and procedures, and security controls—and provide detailed recommendations for improvement.

Additionally, NIST, US-CERT, ISACA and ISO/IEC provide frameworks with helpful guidance. The NIST “Computer Security Incident Handling Guide” includes a framework that aligns with four main phases of an IR lifecycle: Preparation; Detection and Analysis; Containment, Eradication and Recovery; and Post-Event Activity.

Make Your Organization More Resilient

Every second counts during a cyber attack. As threat actors double down on their efforts, rapid detection and response is critical. Now is the time for security teams to evaluate their solutions and incident response plans, and engage with trusted partners to help close any gaps. Security incidents may be inevitable but with careful planning, you can significantly reduce the impact of data breaches and build a culture of cyber resilience.

Incident Response & Ransomware Resource Center
Looking for more information? Let us know what you need, and a CBI team member will contact you shortly.


  1. Cybersecurity at a Crossroads: The Insight 2021 Report
  2. 2021 Report: Cyberwarfare in the C-Suite
  3. Ransomware: The True Cost to Business
  4. Defending Against Ransomware: Best Practices for Success
  5. State of Incident Response 2021
  6. 3 Biggest Factors in Data Breach Costs and How To Reduce Them
  7. Verizon 2021 Data Breach Investigations Report
  8. 50% of CISOs say the push for rapid growth and digital transformation stalls cloud security
  9. Hafnium: Lessons Learned and Recommendations From Incident Responders
About the Author
Shaun Bertrand
Shaun Bertrand
Chief Services Officer
Shaun Bertrand is the Chief Services Officer at Converge. Shaun brings over 20 years of experience in the information security field with a core focus on providing penetration testing and vulnerability assessment services to enterprise organizations. Shaun has been CISSP certified since 2004 and is proficient in several technical services including AV obfuscation, social engineering, exploit development, critical systems protection, endpoint security, event management, incident response, intrusion detection, ICS/SCADA, and malware prevention. Shaun has taught security classes at the University of Michigan and Eastern Michigan University and is a frequent speaker at security conferences and local hacking groups.
I Need To...