3 Must-Haves in Your Cybersecurity Incident Response

3 Must-Haves in Your
Cybersecurity Incident Response
Planning End-to-End Incident Response — Before It’s Needed
 3 Must-Haves in Your Cybersecurity Incident Response

Prepare to Act Fast

During an Incident
Cybersecurity incidents are a matter of “when,” not “if.”
They result in more adverse media coverage than ever
before, and auditors, regulators and other stakeholders
expect organizations to demonstrate a clear plan for
managing these incidents to minimize the impact on
brand, reputation, staff, customers and shareholders.

The imperative for security and risk management leaders is

to prepare. The key tools are a documented response plan
2021 saw the highest average
and a detailed playbook for the incident type.

This guide excerpts pages from Gartner tools and

breach cost in 17 years, and
playbooks*. All detail is illustrative.
10% of breaches involved
ransomware — double the
frequency seen in 2020.
*Complete tools are available to certain Gartner clients: Toolkit: Cybersecurity Incident
Response Plan, Toolkit: Creating a Ransomware Playbook and Toolkit: Tabletop Exercise for
Cyberattack Preparation and Response. Clients can download the templates to customize
and submit them for review by Gartner experts, who can also answer interim questions on Source: IBM Cost of a Data Breach Report, 2021; Verizon 2021 Data Breach Investigations Report
your evolving plan.

2
 3 Must-Haves in Your Cybersecurity Incident Response

Three Components You Must Get Right

01
Build an incident
response plan
02
Develop detailed
response playbooks
03
Conduct regular
tabletop exercises

A general plan for responding Detailed guides for handling Routine tests to practice
to cyberincidents specific incident scenarios incident response plans

Data breach costs rose Over 80% of ransomware Ransomware attacks

from $3.86 million in attacks involve data theft create an average
2020, to $4.24 million in addition to encryption. 23 days of downtime.
in 2021.

Source: IBM Cost of a Data Breach Report, 2021 Source: Ransomware attackers downshift to “Mid-Game” Source: Q2 Ransom Payment Amounts Decline as Ransomware
hunting in Q3 2021, Coveware, October 2021 Becomes a National Security Priority, Coveware, July 2021

3
 3 Must-Haves in Your Cybersecurity Incident Response

Three Components You Must Get Right

01
Build an incident
response plan
02
Develop detailed
response playbooks
03
Conduct regular
tabletop exercises

A general plan for responding Detailed guides for handling Routine tests to practice
to cyberincidents specific incident scenarios incident response plans

4
 Excerpt from
3 Must-Haves in Your Cybersecurity Gartner
Incident Toolkit:
Response
Cybersecurity Incident Response Plan

Develop a Response Process Map

The incident response plan should dictate detailed, sequential procedures to follow in the event of an incident.
The incident coordinator (or similar role) should ensure that each step of the process is completed and that
progress is tracked and communicated on a rolling basis.

Detect

D1 N
Incident?

Y
D2 Register D3 D4 D5 D6
Conduct Assign Assign Severity?
S1
Incident Initial Triage Classification Severity
Y S2 - S3 - S4
D12 Data Breach
D15 D14 Process
D11 D10 D9 D8 D7
Y Notification Reassess Pers. Data Collect Mobilize Resolve using
Potentially Impacted Determine Scope
Required Incident D13 Security Incident Data CSIRT BAU Process
N Process N
D16 Determine C1 C2 C3 C4 C5
Notification Communicate to Develop Execute Contained? Y Update
Comms. Stakeholders Containment Plan Containment Plan Ticket
N

D17 E1 E2 E3 E4 E5
Notify Relevant Communicate to Develop Execute Eradication? Y Update
Parties Stakeholders Eradication Plan Eradication Plan Ticket
N

C1 C2 C3 E4 C5 C6
Communicate to Develop Execute Recovery? Y Update Communicate to
Detect Stakeholders Recovery Plan Recovery Plan Ticket Stakeholders
Contain N

Eradicate
P1 P2 P2 P4 P5 P1
Conduct Document Assign Action Update Controls Demobilize Close Ticket END
RCA Finding Owners and Policies CSIRT
Recover

5
 Excerpt from
3 Must-Haves in Your Cybersecurity Gartner
Incident Toolkit:
Response
Cybersecurity Incident Response Plan

Define Incident Severity Tiers

All security incidents must be triaged and assigned a severity tier. This helps to guide incident escalations,
assign service-level agreements and otherwise inform stakeholders of the potential or realized impact of an
incident on the organization. The severity also drives who is notified, what the escalation path will be and,
therefore, which playbook to communicate.

Severity Business Impact Technical Attributes

Tier Safety Legal Regulatory Financial Reputational Data Class Operations

04 Cyber Crisis Severe Injuries/Death Significant Impact Fines: $Z+ Loss: $Z+ Global Media Top Secret Catastrophic Outage

03 High Serious Injuries Moderate Impact Fines: $Y – $Z Loss: $Y – $Z National Media Secret Major Outage

02 Medium First Aid Low Impact Fines: $X – $Y Loss: $X – $Y Local Media Internal Minor Outage

01 Low No Injuries No Impact No Violations No Loss No Harm Public No Outage

6
 Excerpt from
3 Must-Haves in Your Cybersecurity Gartner
Incident Toolkit:
Response
Cybersecurity Incident Response Plan

Assign Roles and Responsibilities

Effective incident response is a team sport. Maintain a RACI chart that indicates all of the roles and responsibilities
for incident response across the organization. Common stakeholders to include are the C-suite, legal, privacy and
HR teams.

Help Incident Data Customer

Step CIO CISO DPO IT SOC Legal PR HR
Desk Coordinator Owner Operations

Register incident AR CI I

Conduct initial triage I AR C I I

Assign classification I I AR C C

Assign severity I I AR C C

Determine next steps based on severity I CI CI AR C

Resolve using usual process I I AR CI

Mobilize CSIR team I I I AR CI

7
 3 Must-Haves in Your Cybersecurity Incident Response

Three Components You Must Get Right

01
Build an incident
response plan
02
Develop detailed
response playbooks
03
Conduct regular
tabletop exercises

A general plan for responding Detailed guides for handling Routine tests to practice
to cyberincidents specific incident scenarios incident response plans

8
 Excerpt from
3 Must-Haves in Your Cybersecurity Gartner
Incident Toolkit:
Response
Creating a Ransomware Playbook

Create Response Playbooks

The CSIR team should develop specific playbooks for common or high-impact incident types — such as
ransomware, as shown in this example. Response playbooks are designed to provide detailed guidance and
procedures that go beyond security’s general incident response plan.

Contents
How to Use This Toolkit............................................................................................................................................................................................................ 1
Prerequisites............................................................................................................................................................................................................................ 1
Minimum Requirements in IRP..................................................................................................................................................................................................... 1
Scope........................................................................................................................................................................................................................................ 1
Initial Notification..................................................................................................................................................................................................................... 2
Four Phases of Ransomware Response.................................................................................................................................................................................... 2
Containment................................................................................................................................................................................................................................. 2
Analysis......................................................................................................................................................................................................................................... 3
Remediation.................................................................................................................................................................................................................................. 3
Recovery....................................................................................................................................................................................................................................... 3
Four Phases of Ransomware Response Workflow Diagram........................................................................................................................................................ 4
Containment............................................................................................................................................................................................................................. 5
Identify Affected Hosts................................................................................................................................................................................................................. 5
Isolate Affected Hosts.................................................................................................................................................................................................................. 5
Reset Impacted User/Host Credentials....................................................................................................................................................................................... 5
Analysis..................................................................................................................................................................................................................................... 5
Preserve Evidence........................................................................................................................................................................................................................ 5
Identify Ransomware Strain......................................................................................................................................................................................................... 6
Establish Infection Vector............................................................................................................................................................................................................ 6

9
 Excerpt from
3 Must-Haves in Your Cybersecurity Gartner
Incident Toolkit:
Response
Creating a Ransomware Playbook

Develop a Ransomware Response Process

Create a ransomware response process and decision tree. This process can then be used to develop detailed response
procedures, assign roles and responsibilities and develop additional documentation the CSIR team can use to guide
their response.

Enable Cyberincident
Notify Executive Notify Legal
Response Team

Ramsomware Confirmed
Initial Activities

Containment Analysis Remediation Recovery

Reset Impacted
Containment Identify Affected Hosts Isolate Affected Hosts Analysis
User/Host Credentials

Identify Ransomware
Preserve Evidence Establish Infection Vector Contract Law Enforcement
Strain

User Cyber
Analysis Insurance?

NO YES

Complete Regulatory YES Regulated YES Data

Inform Legal Exfiltration?
Notifications Data Loss?

10
 Excerpt from
3 Must-Haves in Your Cybersecurity Gartner
Incident Toolkit:
Response
Creating a Ransomware Playbook

Document Detailed Response Procedures

Work with subject matter experts (SMEs) to document detailed ransomware response procedures. These
procedures should include specific guidance, tools, example, settings, etc. — and should clearly identify
responsible parties for every step.

Process Tasks Responsible Party

Identify Affected 1. Identify all hosts with reported ransomware CSIRT
Hosts 2. Conduct investigation to identify other potential infected devices. CSIRT
Potential indicators of compromise (IoC) could be:
• Anomalous file activity – high volume of file renaming, high volume writes to local disks, disks enc
CONTAINMENT

• Increased CPU and disk activity on endpoints – self-explanatory

• Inability to access files – self-explanatory
• Application failure – self-explanatory
• Suspicious network traffic – traffic across nonstandard ports, changes in typical packet sizes, changes in
top hosts generating traffic, increase in “blocked” or “denied” entries in firewall logs
• Anomalies in privileged user account activity – new account creation, changes to existing user/group
permissions, change in ownership
• Geographical irregularities – access from irregular geographies
• Suspicious registry or system file changes – self-explanatory
• DNS request anomalies – spike in traffic to previously unseen IPs

Do NOT power off machines without guidance from forensic investigators — doing so may destroy valuable forensic data residing in memory or executing on disk.

Isolate Affected 1. Disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or CSIRT
Hosts mobile phone based.
2. Consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and CSIRT
disconnecting the entire network from the internet will be necessary.

11
 3 Must-Haves in Your Cybersecurity Incident Response

Three Components You Must Get Right

01
Build an incident
response plan
02
Develop detailed
response playbooks
03
Conduct regular
tabletop exercises

A general plan for responding Detailed guides for handling Routine tests to practice
to cyberincidents specific incident scenarios incident response plans

12
 Excerpt from
3 Must-Haves in Your Cybersecurity Gartner
Incident Toolkit:
Response
Tabletop Exercise for Cyberattack Preparation and Response

Create an Agenda and Invite Participants

Incident response tabletop exercises should include leadership and decision makers across the organization.
A successful tabletop defines specific objectives and is highly structured to cover preplanned scenarios to which
participants must react.

Agenda and Schedule — 90-Minute Tabletop Exercise

01 Welcome and Introductions <5-minute time span>

02 Exercise Objectives and Rules of Engagement <5-minute time span>

03 Exercise Setup <5-minute time span>

04 Scenario-Driven Exercise <60-minute time span>

05 Group Debrief/Lessons Learned <15-minute time span>

13
 Excerpt from
3 Must-Haves in Your Cybersecurity Gartner
Incident Toolkit:
Response
Tabletop Exercise for Cyberattack Preparation and Response

Develop an Incident Scenario and Scenes

Cybersecurity tabletop exercises are most effective when structured as an initial scenario (e.g., malware),
followed by a series of scenes that add new information to the incident to which participants must react.
This structure replicates the uncertainty and evolution of real incidents.

Elapsed Time Frame: Five Hours Actual Time Frame: 60 Minutes

Scene No. 0: Initial Scenario 8:00 a.m. 10 Minutes

Scene No. 1: T + 30 Minutes 8:30 a.m. 10 Minutes

Scene No. 2: T + 1 Hour 9:00 a.m. 15 Minutes

Scene No. 3: T + 3 Hours 11:00 a.m. 5 Minutes

Scene No. 4: T + 4 Hours 12:00 p.m. 8 Minutes

Scene No. 4: T + 4.5 Hours 12:30 p.m. 7 Minutes

14
 3 Must-Haves in Your Cybersecurity Incident Response

Craft Challenging Incident Scenes

Tabletop exercises should replicate challenging questions that stakeholders must address during an actual attack.

Example: Ransomware
In a tabletop exercise, you can challenge participants to react to a ransom demand from an attacker.

Things to consider

The realities around paying a ransom include:

• On average, only 65% of the data is recovered, and only 8% of

organizations manage to recover all data.
• Encrypted files are often unrecoverable.
• Attacker-provided decrypters may crash or fail.
• Recovering data can take several weeks.
• There is no guarantee that the hackers will delete the stolen data. They
could sell or disclose the information later if it has value.
• It may be easier and cheaper to pay the ransom than to recover from PAY NOT PAY
backup, but that only encourages criminal behavior.
• In some cases, paying the ransom could even be illegal.

15
 3 Must-Haves in Your Cybersecurity Incident Response

Gartner Cybersecurity Team*

Paul Furtado Wam Voster

Director Analyst Senior Director Analyst Senior Director Analyst
Security & Risk Security & Risk Security & Risk
Management Management Management

Cybersecurity expertise: Cybersecurity expertise: Cybersecurity expertise:

• Reviews cybersecurity incident • Provides insight and advice on • Advises on the security of operational
response plans; offers guidance on cybersecurity strategy, risk and technology (OT) as well as security
security awareness, metrics and incident response. management, organization and
security. governance.
• Midsize enterprise (MSE) security
• Advises CISOs and their teams specialty. • 30+ years as an IT practitioner,
in security and risk practices and directing and advising security
communications. • 25+ years’ experience as a CIO and programs in complex environments
CISO. (oil and gas, and fast-moving
• 10 years’ experience as an analyst consumer goods sectors).
and researcher.

Based in Canada. Based in the Netherlands.

Based in U.S.

*Some Gartner subscriptions allow clients to submit their cybersecurity incident response plans for review by Gartner experts
or pose interim questions on their evolving plans.

16
Actionable, objective insight
Position your organization for success. Explore these additional complimentary
resources and tools for security and risk leaders:

eBook Roadmap Webinar Research

3 Steps to Stop Employees Protect Your Business Assets Identify and Embrace New How to Prepare for
Taking Cyber Bait With a Roadmap for Maturing Collar Workers to Boost Ransomware Attacks
Change employee behavior and manage Information Security Program Cybersecurity Be ready for the security challenges
risks effectively. Build a mature program to mitigate Explore nontraditional education forums organizations are facing today.
cybersecurity risk effectively. that provide sufficient training.

Download eBook Download Roadmap Watch Now Download Research

Already a client?
Get access to even more resources in your client portal. Log In

17
Connect With Us
Get actionable, objective insight to deliver on your most critical
priorities. Our expert guidance and tools enable faster, smarter
decisions and stronger performance. Contact us to become a client:
U.S.: 1 855 811 7593
International: +44 (0) 3330 607 044

Become a Client

Learn more about Gartner for IT Leaders

gartner.com/en/information-technology

Stay connected to the latest insights

© 2022 Gartner, Inc. All rights reserved. CM_GTS_1654714