SOAR Platform / Blog / Developing Tailored Incident Responses: The Prepare Step

Developing Tailored Incident Responses: The Prepare Step

In the 2014 US State of Cybercrime Survey, PwC found that almost one-third of respondents said insider crimes are more costly or damaging than incidents perpetrated by outsiders. Yet many companies do not have an insider threat program in place; therefore, they’re not prepared to prevent, detect, and respond to internal threats.

As we discussed in our last blog, the key to empowering your firm to defend against internal attacks as well as external cyber breaches is to develop an incident response workflow for each attack type. The workflow should include all seven steps of the Incident Response Life Cycle – as defined by NIST guidelines:

  1. Prepare
  2. Detect
  3. Analyze
  4. Contain
  5. Eradicate
  6. Recover
  7. Post-Incident Handling

In this post, we will take a closer look at the Prepare step, in which you establish your incident response capabilities for each type of attack. Its first component involves determining the core operations (Ops) team members and their roles as well as those of extended team members.

The Ops team should include hands-on people in your organization that would handle the incident, such as your vulnerability manager, threat manager, and risk manager. The extended team should include your executive leadership, the professional services lead and various response support resources such as legal, public relations and human resources personnel. The role that each person performs when an attack occurs should be clearly defined.

Some people may fulfill more than one role, but if possible, it’s best to divide the assignments as much as possible to ensure clear lines of responsibility and accountability. Not all resources will be required to intervene for every attack, but by identifying them ahead of time, you will always know who to turn to if they are needed in the heat of the moment. Be sure to keep in mind that the heat of the moment may fall outside of “normal” work hours. So be prepared to have backup personnel identified for each role as well.

As you identify various team members, you may need to assign different people for each of the attacks listed below. But when possible, it’s best to use the same teams for all attack types. This is usually possible since the Prepare stage is virtually identical for all nine major attack types:

   Malware   Virus    Elevation of Privilege
   Unauthorized Access   Root Access    Phishing
   Improper Usage   Denial of Service    Data Theft

Teams and players may differ for a number of reasons. A few examples could be due to different lines of business requirements, geo-location requirements, or even external business relations requirements.

The next component of the Prepare step is to define the escalation path your company will follow for both external attacks and internal attacks. This includes documentation, who should address issues first, and how to escalate the issue when you need additional help. The process should also include how the rest of the team members will be informed and – if necessary – the affected employees, customers, and business partners.

A handy resource during the Prepare stage is the NIST Computer Security Incident Handling Guide. The guide provides a list of tools and resources that may prove valuable during incident handling. For example, smartphones are one way to have robust emergency communication and coordination mechanisms. As recommended by NIST, an organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.

As noted above, Prepare is just one of the seven steps to ensure sufficient threat mitigation that enables your business to limit the extent to which business assets, sensitive information and intellectual property are compromised – and to return IT operations back to normal as quickly as possible. To learn about the remaining six steps, be sure to watch for future blogs. In our next one, we will discuss the Detect step.

By Chief Product Officer, Chad Bellin

For more information on developing incident response workflows for your business, visit To view the complete CyberSponse blog series, visit:

Developing a Tailored Incident Response for All Types of Attacks