This template was developed by the team at Counteractive Security, to help all organizations get a good start on a concise, directive, specific, flexible, and free incident response plan. Build a plan you will actually use to respond effectively, minimize cost and impact, and get back to business as soon as possible.
Download or fork this template
The layout is as follows:
during.md: the core of the plan, actions taken during an incident response.
playbooks/: a folder containing playbooks with investigation, remediation, and communication suggestions for specific incidents. Create playbooks for any incidents that are highly likely or highly damaging for your organization.
playbooks/index.mdcontains the playbook section header content, and each playbook should follow the convention
roles/: a folder containing descriptions of each role in the plan, along with duties and training notes.
index.mdcontains the roles section header content, and each role should follow the convention
after.md: the guide to after-action review (a.k.a., hotwash, debrief, or post-mortem)---actions taken after an incident response.
about.md: a footer containing information about the plan/template as a whole.
Find and replace template variables that
These should be discernable from context, but the following is a non-comprehensive reference:
||The name of your organization||Acme, Inc.|
||Name and email of plan author||Chris, firstname.lastname@example.org|
||Document control metadata||1, 1 Jan 2018|
||Date someone last reviewed the plan||1 Feb 2018|
||Date you last tested the plan||15 Jan 2018|
||URL or reference to IR chat program||chat.acme.tld/codename|
||Call bridge number or URL||555-HACK, webex.acme.tld/codename|
||Description/URL for alternate email||O365 at ir.acme.tld/othermail|
||Domain name for your organization||acme.tld|
||Number or URL to page Commander(s)||555-PAGE, ir.acme.tld/ic-page|
||URL/path to Commander roster/list||ir.acme.tld/ic-roster|
||As above, for security team||ir.acme.tld/sec-roster|
||As above, for SMEs||ir.acme.tld/sme-roster|
||As above, for executive team||ir.acme.tld/exec-roster|
||Time to wait for on-duty IC on call||15 minutes|
||Time between scheduled updates||4 hours|
||URL/path to incident file||ir.acme.tld/files/codename|
||URL/path to critical information list, data you want to protect||ir.acme.tld/cil|
||URL/path to critical asset list, systems you want to protect||ir.acme.tld/cal|
||URL/path to asset management DB||ir.acme.tld/assets|
||URL/path to network map||ir.acme.tld/netmap|
||URL to SIEM||siem.acme.tld|
||URL to log aggregator||elk.acme.tld|
||Name/URL of live response tool||ir-rescue|
||Name/URL of memory collection tool||rekall|
||Name/URL of disk imaging tool||ftk imager|
||URL/path to IR report template||ir.acme.tld/report/template|
||URL/path to report recipient list||ir.acme.tld/report/recipients|
||Compliance team name||the legal team, email@example.com|
||Communications team name||the marketing team, firstname.lastname@example.org|
||Executive team name||the front office, email@example.com|
||Legal team name||the legal team, firstname.lastname@example.org|
||Local law enforcement contact email@example.com|
||FBI contact info||555-FEDS, firstname.lastname@example.org|
||Vendor for IR and infosec support||Counteractive Security|
||Vendor for PR support||pr.firm.tld|
||(Cyber) insurance provider||geico.com|
||Industry ISAC contact info||555-ISAC|
If you don't have the things referenced in the variables, consider fixing that. Especially the critical information list (data you want to protect) and critical asset list (systems you want to protect).
- Review all the
TODOprompts for likely areas to customize, if desired. Delete them if no changes are required.
- Add any roles or playbooks relevant to your organization. These can also be added over time.
- Customize anything else! Whatever you feel is most effective for your organization.
Response Plan Example
cat during.md \ ./playbooks/index.md ./playbooks/playbook-*.md \ ./roles/index.md ./roles/role-*.md \ about.md \ | pandoc --toc --toc-depth=3 --standalone -o ./public/response-plan.html
For professional assistance with incident response, or with customizing, implementing, or testing your plan, please contact us at email@example.com or (888) 925-5765.
This template is provided under the Apache License, version 2.0. See the LICENSE and NOTICE files for additional information.
References and Additional Reading
- Awesome Incident Response
- NIST Computer Security Incident Handling Guide (NIST)
- CERT Societe Generale Incident Response Methodologies
- Incident Handler's Handbook (SANS)
- Responding to IT Security Incidents (Microsoft)
- Defining Incident Management Processes for CSIRTs: A Work in Progress (CMU)
- Creating and Managing Computer Security Incident Handling Teams (CSIRTS) (CERT)
- Incident Management for Operations (Rob Schnepp, Ron Vidal, Chris Hawley)
- Incident Response & Computer Forensics, Third Edition (Jason Luttgens. Matthew Pepe. Kevin Mandia)
- Incident Response (Kenneth R. van Wyk, Richard Forno)
- The Checklist Manifesto (Atul Gawande)
- The Field Guide to Understanding Human Error (Sidney Dekker)
- Normal Accidents: Living with High-Risk Technologies (Charles Perrow)
- Site Reliability Engineering (Google)
- Debriefing Facilitation Guide (Etsy)
- Every Minute Counts: Leading Heroku's Incident Response (Blake Gentry)
- Three Analytical Traps in Accident Investigation (Dr. Johan Bergström)
- US National Incident Management System (NIMS) (FEMA)
- Informed's NIMS Incident Command System Field Guide (Michael J. Ward)
- PagerDuty IR Docs
- NIST 800-61r2
- NIST CSF
- CSO Online 10 Steps (June 2017) and CSO Online 9 Steps (July 2016)
- SecurityMetrics blog 6 Steps to Making an IR Plan
- Cal Berkeley IR Plan Development
- EPA IR Plan
- incidentresponse.com playbooks
- After Action, lessons learned, process improvement
- Measures and Metrics
- Business priorities
- Testing procedure
- Communication and escalation tree, including executives
- Finance and budget