It should include communications what to tell employees, the board of directors, the public, law enforcement and regulators. The message for all of these parties needs to be formulated and transmitted effectively and in a timely manner, he says.
A plan must include technical analysis of the breach, who will participate, what their roles will be and what each person will do to determine the broad scope of the attack and to zero in on the details of those machines most affected.
The plan must use the analysis to figure out where an active threat still resides and to box off that part of the network so it is rendered ineffective until it can be cleaned up.
Most importantly the plan must include how to restore normal business processes, whether by calling on backups, adjusting firewalls, blocking IP addresses or reimaging corrupted machines.
This step has three parts. First the team needs to quickly triage affected hosts to find indicators of compromise. This must happen quickly typically within two to four hours tapping event logs, file systems and the like to create a distilled timeline of what happened to corrupt the machines.
Once a set of IoCs has been found, they should be put into other security systems that can spot them elsewhere on the network. If that finds more compromised hosts, they need to be triaged and if more IoCs are found, they need to be fed into the security systems.
The most compromised hosts undergo a deep investigation for a full understanding of what the attacker did on that system and to use that analysis to create a remediation plan. That effort should have as its goal making sure the attacker has been purged from the environment.
The leader needs to clear roadblocks so team members can dedicate themselves to remediating the problem. In many organizations the incident response team isn't a group dedicated full-time to incident response. Rather they are individuals with other job responsibilities, so it's important to make it clear to their managers that they are needed to deal with this top priority.
The leader also needs to ensure the effective flow of information within the team so members get the information most relevant to their part of the task quickly.
In incident response there's no room for speculation outside the response team. Speculation is necessary in order to weigh the possibilities of what has occurred as evidence starts to trickle in, but it shouldn't be spread around, Woolwine says.
Anything that is communicated outside the team should be supported 100 percent by evidence and for good reason. For instance, there's nothing worse than having to tell the board that initial reports were inaccurate, he says.
Sign up for CIO Asia eNewsletters.