Incident Response Planning: What to Do When You Get Hacked

Why Incident Response Planning Matters

The question isn't whether your business will face a security incident—it's when. Phishing attacks, ransomware, data breaches, and other incidents are inevitable for any organization with an online presence. The difference between devastating breaches and manageable incidents is often having a plan.

Without an incident response plan, businesses waste critical hours determining who's responsible, what steps to take, and how to communicate. This confusion amplifies damage, increases costs, and prolongs recovery. With a plan, your team executes coordinated responses that minimize impact and demonstrate competence to customers, regulators, and stakeholders.

The Cost of Poor Incident Response

Time Delays Multiply Damage

Discovery to Containment Time:

• Without plan: Average 21 days
• With plan: Average 7 days
• Each day of exposure increases breach cost by $5,000-25,000

Decision Paralysis:

• Leadership debates response while attack continues
• Uncertainty about notification obligations
• Delayed engagement of external experts
• Mistakes from operating without procedures

Regulatory Penalties

Many regulations require incident response capabilities:

• HIPAA: Incident response plan mandatory
• GDPR: 72-hour breach notification requirement
• State privacy laws: Specific notification timelines
• PCI-DSS: Documented incident response procedures

Failure to respond appropriately compounds regulatory penalties.

Reputation Damage

Chaotic, delayed, or incompetent incident response:

• Loses customer trust beyond the incident itself
• Creates media story about poor security
• Demonstrates lack of preparation
• Suggests ongoing security deficiencies

Incident Response Framework

The NIST Incident Response Lifecycle provides the standard framework:

1. Preparation: Establish capabilities before incidents occur
2. Detection and Analysis: Identify and understand incidents
3. Containment, Eradication, and Recovery: Stop the attack and restore operations
4. Post-Incident Activity: Learn and improve

Phase 1: Preparation

Build Your Incident Response Team

Core Team Members:

Incident Response Coordinator (Often IT Manager or Security Lead)

• Overall incident management
• Coordinates team activities
• Decision-making authority
• External communication liaison

Technical Lead (IT Staff or MSP)

• Technical investigation
• Containment actions
• System recovery
• Forensic evidence preservation

Legal Counsel (Attorney)

• Legal obligations assessment
• Regulatory notification guidance
• Communication review
• Litigation risk management

Communications Lead (Marketing/PR)

• Internal communications
• Customer notifications
• Media relations
• Social media monitoring

Executive Sponsor (CEO/Owner)

• Final decision authority
• Resource allocation
• Stakeholder communication
• Business continuity decisions

Additional Members as Needed:

• HR (for insider threats)
• Finance (for fraud incidents)
• Compliance (for regulated industries)

Establish Communication Channels

Out-of-Band Communications:

Don't rely on email/systems that may be compromised:

• Personal cell phones
• Dedicated incident response phone line
• Secure messaging app (Signal, etc.)
• External video conferencing

Contact List:

• Team member phone numbers (personal cells)
• After-hours contact information
• Escalation procedures
• External contacts (see below)

Identify External Resources

Pre-Incident Relationships:

Incident Response Firm:

• Specialized cybersecurity firm for forensics and response
• Establish relationship before you need them
• Understand costs and engagement process
• Often provided through cyber insurance

Legal Counsel:

• Breach response specialist (not general business attorney)
• Understands notification requirements
• Can invoke attorney-client privilege over investigation

Cyber Insurance Carrier:

• Know how to initiate claim
• 24/7 breach hotline number
• Approved vendor panel
• Coverage details and limits

Public Relations Firm:

• Crisis communications specialist
• Relationship established in advance
• Rapid engagement capability

Forensic Specialists:

• Digital forensics for investigation
• May be same as IR firm
• Data recovery specialists

Notification Services:

• Credit monitoring providers
• Customer notification vendors
• Call center services

Law Enforcement (FBI, Secret Service):

• Understand reporting procedures
• Know local field office contacts
• Relationship with cybercrime units

Technical Preparation

Logging and Monitoring:

• Centralized log collection (SIEM)
• Appropriate log retention (90+ days)
• Log review procedures
• Alerting on suspicious activities

Backup and Recovery:

• Tested backup procedures
• Offline/immutable backups
• Documented restoration procedures
• Regular restoration testing

Network Documentation:

• Network diagrams
• Asset inventory
• Data flow maps
• Critical system identification

Access Inventory:

• All user accounts and permissions
• Administrative access tracking
• VPN and remote access methods
• Third-party vendor access

Detection Tools:

• Endpoint detection and response (EDR)
• Network intrusion detection
• Email security monitoring
• Cloud security monitoring

Documentation and Templates

Pre-Create Templates:

• Customer breach notification letter
• Employee incident communication
• Media statement
• Regulatory notification forms
• Vendor notification
• Website incident notice

Procedures and Playbooks:

• Ransomware response playbook
• Phishing incident playbook
• Data breach playbook
• Insider threat playbook
• Each with step-by-step actions

Contact Lists:

• Incident response team
• External resources
• Key stakeholders
• Customer contact methods
• Regulatory agencies

Training and Exercises

Tabletop Exercises:

• Annual scenario-based walkthroughs
• Test decision-making without technical execution
• Identify gaps in plan
• Build team familiarity

Scenario Examples:

• Ransomware encryption of file server
• Phishing compromise of executive email
• Data exfiltration by malicious insider
• Third-party vendor breach exposing your data

Technical Drills:

• Test backup restoration
• Practice network isolation
• Verify evidence collection
• Test communication channels

Phase 2: Detection and Analysis

Incident Identification

Common Detection Sources:

• Security tool alerts (EDR, firewall, SIEM)
• User reports (suspicious emails, unusual behavior)
• External notifications (customer complaints, vendor alerts)
• Abnormal system behavior (slow performance, crashes)
• Audit findings
• Media reports or dark web monitoring

Initial Assessment Questions:

• What type of incident? (malware, phishing, breach, etc.)
• When did it start?
• What systems are affected?
• Is it still active?
• What data is involved?
• Who needs to be notified immediately?

Incident Classification

Severity Levels:

Critical (P1):

• Active ransomware or destructive attack
• Large-scale data breach in progress
• Compromise of critical business systems
• Significant business impact
• Immediate response required

High (P2):

• Confirmed malware infection (contained)
• Unauthorized access to sensitive systems
• Data exposure of moderate scope
• Requires urgent response (within hours)

Medium (P3):

• Phishing email clicked but no compromise
• Suspicious activity under investigation
• Limited scope incidents
• Response within business day

Low (P4):

• Security policy violations
• Unsuccessful attack attempts
• Informational security events
• Standard workflow response

Initial Response

Immediate Actions (First 30 Minutes):

1. Activate incident response team

   • Notify coordinator
   • Brief available team members
   • Establish communication channel

2. Initial containment (if possible)

   • Isolate affected systems from network
   • Disable compromised accounts
   • Block malicious IPs/domains
   • Preserve evidence (don't power off systems)

3. Document everything

   • Time of discovery
   • Systems affected
   • Actions taken
   • People notified
   • Observations and evidence

4. Assess immediate risks

   • Is attack ongoing?
   • What data is at risk?
   • What systems are vulnerable?
   • Is business continuity threatened?

5. Notify stakeholders

   • Executive leadership
   • Cyber insurance (if covered incident)
   • Legal counsel (invoke privilege)

Investigation

Forensic Analysis:

Determine:

• Initial access vector: How did attackers get in?
• Timeline: When did compromise begin?
• Scope: What systems were accessed?
• Data exposure: What information was accessed/exfiltrated?
• Persistence mechanisms: Are backdoors installed?
• Attacker goals: What were they after?

Evidence Preservation:

• Create forensic images before remediation
• Preserve logs (make copies before they rotate)
• Screenshot relevant findings
• Maintain chain of custody
• Don't alert attackers you're investigating

Analysis Tools:

• EDR forensic capabilities
• Log analysis (SIEM)
• Network traffic analysis
• Memory forensics
• Malware analysis

Phase 3: Containment, Eradication, and Recovery

Containment Strategy

Short-Term Containment:

• Isolate affected systems
• Disable compromised accounts
• Block malicious traffic
• Stop data exfiltration
• Prevent lateral movement

Long-Term Containment:

• Patch vulnerabilities
• Strengthen access controls
• Implement additional monitoring
• Prepare for eradication

Containment Considerations:

• Balance business continuity with security
• Don't alert attackers prematurely
• Preserve evidence for investigation
• Document all containment actions

Eradication

Remove Attacker Presence:

• Delete malware
• Remove unauthorized accounts
• Eliminate backdoors and persistence mechanisms
• Close access vectors
• Patch exploited vulnerabilities

Validation:

• Scan for remaining indicators of compromise
• Verify all attacker access removed
• Check for additional compromised systems
• Test for persistence mechanisms

Timing:

• Coordinate eradication across all systems simultaneously
• Prevent attackers from re-establishing access
• Plan for business interruption

Recovery

System Restoration:

Rebuild vs. Restore:

• Rebuild from clean state for critical systems
• Restore from known-good backups (before compromise)
• Update all systems before return to production
• Verify integrity before reconnecting to network

Phased Return to Operations:

1. Critical systems first
2. Enhanced monitoring during recovery
3. Gradual reconnection to network
4. Verify functionality
5. Return to normal operations

Validation:

• All systems clean and patched
• Security controls functioning
• Monitoring operational
• Backups current
• Documentation complete

Communication During Response

Internal Communication:

• Regular team updates (daily during active incident)
• Executive briefings (at least daily)
• Employee notification (as appropriate)
• What to say, what not to say

External Communication:

Customers:

• Timely notification if data affected
• Clear explanation of incident
• Actions taken to protect them
• Steps they should take
• Resources provided (credit monitoring, etc.)

Regulators:

• Notification within required timeframes
• Required information and documentation
• Ongoing cooperation
• Remediation plans

Media:

• Prepared statements
• Designated spokesperson
• Consistent messaging
• No speculation

Partners/Vendors:

• Notification if their data affected
• Collaborative investigation (if vendor-related)
• Contractual notification obligations

Law Enforcement:

• FBI, Secret Service, or local police (as appropriate)
• Provide requested information
• Understand they may not investigate (resource constraints)

Phase 4: Post-Incident Activity

Incident Documentation

Incident Report Contents:

• Executive summary
• Timeline of events
• Attack vector and methodology
• Systems and data affected
• Response actions taken
• Costs incurred
• Lessons learned
• Recommendations

Evidence Retention:

• Maintain all incident-related documentation
• Preserve forensic evidence
• Retain logs and analysis
• Keep communication records
• Hold for litigation and compliance needs (typically 3-7 years)

Lessons Learned Review

Post-Incident Meeting (Within 2 Weeks):

Participants:

• Full incident response team
• Key stakeholders
• External parties who assisted

Discussion Topics:

• What happened and why?
• What worked well?
• What didn't work?
• What would we do differently?
• What gaps were identified?
• What improvements are needed?

Outcomes:

• Updated incident response plan
• Security improvement initiatives
• Training needs identified
• Tool and resource requirements

Remediation and Improvement

Technical Improvements:

• Patch vulnerabilities exploited
• Implement additional security controls
• Enhance monitoring and detection
• Improve backup and recovery
• Address infrastructure gaps

Process Improvements:

• Update incident response procedures
• Refine communication templates
• Adjust escalation criteria
• Improve team coordination

Training:

• Incident response team training
• Security awareness for employees
• Lessons learned sharing
• Tabletop exercises addressing incident type

Incident-Specific Playbooks

Ransomware Response

Immediate Actions:

1. Isolate infected systems (disconnect network)
2. Identify ransomware variant (ransom note, file extensions)
3. Determine scope (how many systems encrypted)
4. Notify cyber insurance and incident response firm
5. DON'T pay ransom immediately

Investigation:

• Initial infection vector
• Attacker dwell time (often days/weeks before encryption)
• Data exfiltration (double extortion?)
• Backup compromise assessment

Recovery:

• Restore from offline/immutable backups
• Rebuild critical systems
• Enhanced security before returning to production
• Consider decryption tools (some exist for certain variants)

Ransom Payment Decision:

• Consult with legal, insurance, and IR firm
• Consider: backup availability, business impact, double extortion
• Law enforcement discourages payment
• Payment doesn't guarantee decryption

Phishing Incident Response

Immediate Actions:

1. Identify affected users
2. Disable compromised accounts
3. Reset credentials
4. Review account activity logs
5. Check for email forwarding rules
6. Scan for malware (if attachment was opened)

Investigation:

• What data was accessed?
• Were other accounts compromised?
• Was MFA bypassed or enrolled?
• Were emails sent from compromised account?

Recovery:

• Remove malicious email from all mailboxes
• Restore any deleted emails
• Notify affected parties if data was accessed
• Additional training for affected users

Data Breach Response

Immediate Actions:

1. Stop ongoing data exfiltration
2. Preserve evidence
3. Engage legal counsel (privilege)
4. Notify cyber insurance

Investigation:

• What data was accessed/exfiltrated?
• How many individuals affected?
• Attackers' identity (if determinable)
• Access method and timeline

Notification:

• Determine legal obligations (varies by state/regulation)
• Timelines: Often 30-60 days from discovery
• Content: Required elements in notification
• Methods: Mail, email, substitute notice
• Regulators: Parallel notification requirements
• Credit monitoring: Often required or good practice

The Bottom Line

Incident response planning transforms cyber incidents from existential crises into manageable operational challenges. The investment required—time to create the plan, establish relationships, and conduct training—is modest compared to the chaos and cost of responding without preparation.

Start with the basics: identify your incident response team, establish communication procedures, and create simple playbooks for common scenarios. Build from there based on your risk profile and resources.

Most importantly, test your plan regularly. Untested plans fail when needed. Annual tabletop exercises identify gaps and build team muscle memory that proves invaluable during actual incidents.

The goal isn't to prevent all incidents—that's impossible. The goal is to detect quickly, respond effectively, and recover completely while minimizing damage and demonstrating competence to all stakeholders.

---

Need help creating an incident response plan for your business? Contact SimplCyber for templates, playbooks, and tabletop exercise facilitation.