Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Cyber Security Incident Response and Reporting Process

Written by Joseph Carson

March 19th, 2019

Ever since we launched our customizable cyber security incident response template, I’ve been amazed by its volume of downloads.

I quickly realized that the increasing cyber threats from criminal hackers, malware and ransomware is starting to be taken seriously by organizations large and small, and that there is a growing demand for guidance and information on incident response.—a Slovakian company that provides advanced tools for monitoring online search engine activity—indicates that that online searches for the phrases “cyber security information” and “cyber incident response” are increasing at a mind-blowing rate year over year.


Cyber Security Information Chart

Search trend for cyber security information—


Cyber Incident Response Chart

Search trend for cyber incident response—

So, organizations are getting on board with cyber risk and this is great news. I’ve been writing, tweeting and giving talks about how to respond to cyber incidents for some time now—and companies are listening.

If you’re ready to get on board with properly protecting your organization and data during or after a breach, but are not 100% sure of the process—this is the place to start. I’ll provide some procedure resources for handling the cyber incident response process, but let’s start by addressing 4 common questions.

  1. What is incident response?

Incident response is an organization’s reaction to halting and recovering from a security incident, and the response plan must be in place before the incident occurs.

You may already know a security incident as:

  • An information security incident
  • An IT security incident
  • A network security incident
  • A security breach
  • A data breach
  • A cyber attack
  • Or, “We’ve been hacked!”

They’re all pretty much cut from the same cloth, and the only good response is to meticulously follow a tailored cyber incident response plan (CIRP) that you have ready to go at a moment’s notice.

The goal of having an incident response plan is to ensure that your organization is fully prepared for, and ready to respond to any level of cyber security incident fast and effectively. And today, incidents are inevitable. All that varies is the breadth and depth.

Here’s Gartner’s definition of a CIRP: Also known as a “computer incident response plan,” this is formulated by an enterprise to respond to potentially catastrophic, computer-related incidents, such as viruses or hacker attacks. The CIRP should include steps to determine whether the incident originated from a malicious source — and, if so, to contain the threat and isolate the enterprise from the attacker.

  1. Is there a difference between incident response and incident handling?

Well, yes, although response and handling go hand in hand and without both you do not have a sound incident response process. Incident response refers to the technical aspects of incident analysis and containment, whereas incident handling refers to the human responsibilities: the communications, coordination, and cooperation required to see the process through.

  1. What is the incident response life-cycle?

The life-cycle of an incident is defined by the stages a typical incident goes though, and it includes everything from preparing for an incident to analyzing the lessons you learned after experiencing one. I like this version of the incident response life-cycle:

Preparation > Incident Discovery and Confirmation > Containment and Continuity > Eradication > Recovery > Lessons Learned

  1. What are the different types of information security incident?

There are many types of cyber security incidents that can result in intrusions on your organization’s network or full-on data breaches, but I’m going to focus on the six to which I believe organizations are most vulnerable:

  • Phishing attacks: you click on a link in an authentic looking email and end up giving away sensitive information (like a password), or enabling ransomware or some other malware. Companies are super-vulnerable to phishing attacks because criminal hackers target the weakest links in most companies—its employees—and success rates are high! A more targeted type of phishing attack known as spear fishing occurs when the attacker invests time researching the victim in order to pull off an even more successful attack.
  • Denial-of-service (DoS) attacks: the point of this attack is to shut down an individual machine or entire network so that it cannot respond to service requests. DoS attacks achieve this by inundating the target with traffic, or sending it some information that triggers a crash.
  • Man-in-the-middle (MitM) attacks: an outside entity intercepts and alters the communication between two parties who believe they are communicating with each other. By impersonating them both, the attacker manipulates both victims in an effort to gain access to data. The users are blissfully unaware that they are both talking to an attacker. Session hijacking, email hijacking and Wi-Fi eavesdropping are all examples of MitM attacks.
  • Drive-by attacks: a common method of spreading malware, criminal hackers seek out insecure websites and plant a malicious script into code on one of the pages. The script could install malware onto the computer of someone who visits the site, or re-direct the victim to a different site controlled by the hackers.
  • Password attacks: this sort of attack is aimed specifically at obtaining a user or an account’s password. Criminal hackers use a variety of techniques for getting their hands on passwords, such as: password-cracking programs, dictionary attacks, password “sniffers”, or brute-force password guessing, often based on some personal knowledge of an individual (like the birthday, dog’s name, etc.) This is why strong passwords are so important.
  • Malware attacks: a broad term for any sort of malicious software that’s installed on your system without your consent can be considered malware. You are probably familiar with many types of malware—file infectors, worms, Trojans, ransomware, adware, spyware, logic bombs, and different types of viruses. Some are inadvertently installed when an employee installs freeware or other software, clicks on an ad, or visits an infected website. The possibilities are endless, therefore so are the chances of an employee falling victim to a malware attack.

Industry-specific cyber incident reporting

The incident response process described in the life-cycle above is largely the same for all organizations, but the incident reporting procedure varies for certain industries. For example, if you’re in the healthcare industry you may need to observe the HIPAA incident reporting requirements.

These are some industry regulations that have very specific laws around incident reporting, and who they apply to:

HIPPA – if you create, receive, maintain or transmit electronic protected health information

FISMA/NIST – if you’re a federal agency or government contractor

PCI DSS – if you accept, store or transmit credit card data

NERC/CIP – if you’re an energy and utilities company

SOX – if your organization is a public company (though in some cases private companies must also comply with SOX regulations)

NYCRR – if You’re a New York insurance company, bank, or other regulated financial services institution

If your organization must adhere to any of the above regulations, you must familiarize yourself with the incident reporting requirements that might uniquely apply to your industry. Links to helpful industry-specific information can be found in our Cyber Security Incident Response Template.

The template also has:

  • Customization instructions
  • Assembling an incident response team, including IT, compliance, and communications representatives
  • Threat classification
  • A sample cyber Incident
  • Phase of incident, and the appropriate actions to take at each step (the template ensures you capture all the right information)

As an additional resource, our whitepaper provides a broader incident response strategy.

Incident response is a plan I hope you’ll never need

I talk about the incident response process often, but always with the hope you won’t need to use it very often. And as more organizations take steps to protect themselves, become more resilient and recover quickly, I look forward to seeing fewer victims of cyber-crime.

If your organization doesn’t have cyber security and cyber risk completely nailed down yet, read this Gartner article for some perspective: Gartner Top 10 Security Projects for 2018. Don’t worry—the security projects listed are as relevant now as they were in 2018!

You’ll notice that Gartner’s number 1 security project is privileged account management (PAM) But like incident response, cyber security has a technical AND a human aspect—employee cyber awareness training is critical to your organization’s security. Criminal hackers view employees as the fast track into your company’s network, so security training should be introduced on day one of your new hire orientation process.

No cyber security solution is bullet proof

No solution you choose to protect your privileged access, nor any amount of employee training, will guarantee you bullet-proof cyber security. After all, the criminal hacker’s ongoing challenge is to stay a step ahead of you. But having a rock-solid incident response procedure in place can minimize damage—even stop it before it gets a foothold—and save you money, time, and your reputation.

FREE Cybersecurity for Dummies ebook

FREE Cybersecurity for Dummies ebook

Show your employees how to protect themselves and your organization


Like this post?

Get our top blog posts delivered to your inbox once a month.