Pratum Blog

Laptop with Completed Checklist and text Creating an Incident Response Plan

Recent high-profile ransomware attacks have motivated many organizations to dust off their incident response plans—or create one for the first time. If you’ve ever endured a breach, you know the value of a well-designed incident response plan. By guiding decisions in the critical first hours of an incident, the incident response plan can keep a minor situation from turning into an operational shutdown, as well as help your team track down the breach’s root cause, file cyber insurance claims, manage messages to customers and more.

A solid plan helps ensure that your crisis won’t ripple out to all of your clients and partners. A well-planned response prevents data loss, financial loss, impaired reputation and long-term damage to your business. Use the following guidelines to make sure you create an incident response plan that includes all the essentials.

Check Your Industry’s Requirements

Start by determining what others require of you. In many industry sectors, incident response (IR) plans are mandated by state law, federal guidelines (such as HIPAA) or your biggest customers’ vendor contracts. For example, more than a dozen states require any company in the insurance industry to maintain a written IR plan, among other best practices. And your cyber insurance underwriter will almost certainly offer you a better rate if you have policies such as an IR plan in place.

Guides for Creating Your Plan

One go-to standard for IR plans is NIST publication 800-61, known as the “Computer Incident Handling Guide.” This 79-page document provides details on tasks such as structuring an IR team, handling incidents as they occur and coordinating across departments and organizations. NIST’s approach boils down to this four-part Incident Response Life Cycle:

Incident Response Lifecycle

You should also review the SANS Institute’s more concise guide, known as the Incident Handlers Handbook. SANS recommends that every plan provide a specific process for these six areas:

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

Where to Start Your Plan

Begin by asking these critical questions about your business:

  • Who are the critical staff?
  • What resources are available?
  • Who are the primary and secondary contacts?
  • What is the backup process?
  • How quickly would you recover from an incident?
  • How could an incident impact future business?

Before implementing an IR plan, let your staff know so they can understand why you’re writing the plan and what their role will be during an incident. Include pertinent staff members in creation of the plan so that they’re invested in executing the plan when an incident comes up.

What to Put In Your Plan

These are the key elements to include in your IR plan:

  • Your definition of an “incident” – This determines what triggers your IR plan. Typical situations that constitute incidents are loss or accidental disclosure of sensitive info, an intrusion or attack on the network or the discovery of a vulnerability that could affect operations. Vague definitions of incidents can trigger unnecessary IR responses even for low-level situations.
  • IR team structure – The team’s size depends on your organization’s size and complexity. The team plan should include:

    – An incident coordinator tasked with managing meetings, keeping notes and documenting actions.

    – People with strong tech skills, IR experience and an understanding of the business.

    – Multiple people with strong communications skills they can use to share information clearly and efficiently in the right directions.

    – Representation from key related areas such as legal, HR, and the physical facilities team.

    – An executive sponsor who can champion the team’s concerns up the ladder and provide visibility to the overall business.

    – A system for rotating IR team members on a planned basis to avoid burnout and promote fresh perspectives.

  • Roles/responsibilities – Clearly outline exactly who does what and establish a clear team leader. Some states’ regulations for certain industries require companies to officially report the name of the person of contact (POC) for information security. Be sure to consider duties your IR team may have in non-emergencies, such as training employees, monitoring threat alerts and participating in relevant industry groups.
  • Incident-reporting procedure – The team’s ability to respond effectively relies on finding out about the incident in a clear, timely manner. Describe whether notifications should take place through a help desk ticket, e-mail, phone call, etc. The plan should also specify procedures for preserving potential evidence. Your company’s ongoing security training should cover the incident-reporting procedure.
  • Communications plan for outside entities – You will probably need to notify people beyond your company war room about incidents. A chart like the one below from NIST shows the variety of parties with which you may need to interact. In your plan, establish clear rules of communication. Sharing the wrong information at the wrong time with the wrong entity could have implications for your cyber insurance, breach notification liabilities, class action suits, breach of contract claims and more.
    Incident Response Team Web
  • Post-event reporting – After the situation is resolved, the team should issue a report summarizing what happened and what remediations are required. Your plan should provide specifics on who will compile that report and the leaders who get a copy. Go over questions like, what went wrong? What went right? You should also establish a timeline of events to help answer these questions and see the bigger picture.

It’s easy for IR plans to get very long and complex, especially as you continue to revise it over the years. But you should focus on streamlining your plan to the essentials that people can realistically follow in the excitement and confusion of a real incident.

Building Your External Team

Just as critical as your organization’s internal team is the lineup of external service providers you’ll call on in an emergency. It’s essential to identify and build relationships with your providers in advance for two reasons. First, service providers that get to know your organization in normal times will be prepared to spring into action with an informed point of view at a moment’s notice. Second, securing the providers ahead of time will help you use your preferred vendors rather than being stuck with an unknown company from your cyber insurance carrier’s preferred provider list. Once you’ve picked a vendor, ask your cyber insurance company to add them to the preferred list to ensure that you get to work with your selected partners.

Your external vendor team should include:

  • An attorney with cyber expertise
  • A digital forensics team
  • A breach coach
  • Cyber insurance contact
  • Public relations firm, if your industry is in the public eye

Test Your Plan

Your IR plan isn’t a set-it-and-forget-it proposition. You won’t know if it works unless you test it. And you won’t know if it continues to work unless you incorporate a specific, regular schedule for review. At minimum, review it once a year. If your business is highly dynamic, it may require more frequent review. Common changes that prompt plan updates include:

  • Changing personnel on the IR team
  • Implementing new technology platforms
  • Winning contracts with new clients
  • Entering new geographic or industry markets with different requirements
  • Increasing budgets that expand your resources

Review the Aftermath

After you experience an actual incident and contain the problem, the IR plan should include steps for reviewing the incident. Ask what went right and what went wrong. Establish a timeline of events to help answer these questions and show you the bigger picture.

After the review, adjust your plan as needed. If a step in the process didn’t go as planned, figure out why and make changes.

If you need help creating an IR plan tailored for your specific situation, contact Pratum today.

Penetration testing explained.

Penetration testing provides a real-world test of your security posture by sending an ethical hacker to break in using the same techniques as actual bad guys. While most people picture penetration testing as someone cracking lines of code, the process entails far more than that. Here's an overview of penetration testing explained from initial scoping to final validation.

Penetration Tester


In this phase, clients and testers agree on the ground rules, such as whether the test of a web app extends to the infrastructure behind it. The team also decides whether to alert the client’s IT team about the penetration test or to let them practice stopping what they think is an actual attack.


Intel Gathering

Like real hackers, good penetration testers use the web, social media and other public sources to identify individuals and parts of the organization to target. They also uncover technical details through port scanning, network sniffing and more.

Vulnerability Scanning

Automated tools scan your system for known vulnerabilities such as open ports and unpatched software that the human pen tester can use in their attack.

Social Engineering

It’s easier to hack a person than a server. So pen testers often try to fool someone into giving up their system credentials through phishing, pretexting phone calls, etc.

Hacking Into the System

Armed with research, ethical hackers attack the system using known vulnerabilities; predictable or leaked passwords; spoofed login sites or devices; and more. Once they gain a foothold, penetration testers pivot through the environment to see how much data they can access.

Organizing Findings

The pen tester begins listing risks they discover and categorizing them according to a common standard such as the OWASP Top 10 for web apps. Risk categories include broken access control, cryptographic failure, insecure design and more.


Now the penetration tester formats their work into an understandable, actionable report for the client team. A good reporting process includes an executive summary, an in-depth technical report and an action plan listing recommended remediations.


Armed with the detailed report, the client’s team can begin remediating moderate and high risks.


After the IT team remediates risks highlighted in the external portion of the penetration test, the pen tester returns to confirm that each risk has been eliminated. This confirmation is included as part of all external engagements.


If you’re still trying to make sense of XDR, MDR and EDR, you’re not alone. The market doesn't have universal definitions of these terms, and overlap among the solutions makes it easy to drown in the alphabet soup. This blog summarizes the key differences in each solution so you can ensure that you’re using the right tools to secure your environment.

What the “DR” Part Means

The obvious common element in each solution is the DR, which stands for “detection and response.” That means these tools go beyond simply recording an event or blocking software by looking for known malicious signatures. Managed XDR and other DR tools actively assess patterns of malicious activity and shut down suspicious programs, quarantine devices, etc.

DR solutions have proven so effective at reducing attacks that most cyber insurance carriers now require them for anyone seeking to buy or renew a cyber policy. These tools have become a cybersecurity must-have because they address these growing threats:

  • Expanded attack surfaces/dispersed workforces – Organizations can no longer lock down all their data on company-owned devices inside the company building. Now you must secure your data in a world where employees are using mobile devices, home networks, etc.
  • Hackers lingering in systems – In a typical breach, hackers get into the environment months before administrators realize it. DR detects suspicious activity far sooner.
  • Growth in fileless malware – This malware type (also known as non-binary malware) can slip past most antivirus software, which looks for known file signatures. By some estimates, even the best antivirus solutions block only 50-60% of the threats.

EDR – Endpoint Detection and Response

Endpoint Detection and Response Flow Chart

EDR protects your environment’s biggest vulnerability: endpoints. In the Wild West of remote workforces, employees are using networks you don’t control; sharing devices with family members; installing whatever software they want; etc. In most environments, about 70% of all attacks start with an endpoint.

EDR provides visibility into the endpoints. It constantly logs and monitors activity in order to identify potentially malicious activity on endpoints and take action to stop or mitigate the attack. Rather than looking for file signatures as antivirus solutions do, EDR looks at the behavior of files. With this capability, EDR regularly spots zero-day threats and other attacks that security pros haven’t seen before. In addition to the protection, it looks to provide context around how the attack started and what it attempted to do.

EDR’s powerful response capabilities come from playbooks that guide the solution’s actions after spotting malicious activity. These playbooks determine when to block a file, quarantine a device, etc. Clearly, proper playbook tuning plays an enormous role in not only stopping malicious activity but in preventing a stream of false positives from overly sensitive triggers.

XDR – Extended Detection and Response

Extended Detection and Response Flow Chart

Even if you have EDR covering your endpoints, attacks will still arrive through your firewall, cloud workflows, email system, IoT devices, servers and more. XDR provides a holistic view of your extended technology ecosystem, encompassing endpoints as well as every other part, regardless of the vendor that created each component.

XDR’s critical advantage is correlation of events. XDR solutions monitor telemetry data such as Syslogs from across your environment to create a unified response. By leveraging artificial intelligence and machine learning, XDR identifies suspicious patterns amid the millions of system events that occur each day. In simple terms, XDR is designed to notice two seemingly unconnected activities in distant corners of your environment, recognize the pattern of a larger attack and take appropriate action. Without XDR, the left hand may never talk to the right hand, letting attackers lurk in your system far longer before they’re detected.

MDR – Managed Detection and Response

Managed Detection and Response Flow Chart

With MDR and Managed XDR, a third party (known as an MSSP or Managed Security Services Provider) manages the tools described above. Management goes far beyond simply responding to alerts. Top MSSPs constantly tune complex XDR solutions in response to emerging threats and your unique environment. Partnering with an MSSP relieves your organization from staffing up to run your own in-house SOC or asking an already-overtaxed IT team to take it on.

A good Managed XDR service has a team of SOC analysts constantly monitoring your environment and tuning the tool for optimal performance. The analysts review alerts and notify you when you should take action. They regularly revise proprietary playbooks and rules in response to an ever-changing landscape. (When the Log4j vulnerability emerged in December 2021, for example, Pratum’s SOC wrote new rules for our Managed XDR clients within 12 hours.) In short, a Managed XDR service gives you access to cutting-edge security tools and a team of pros who know how to get the most from the tools.

A Managed XDR service also gives you a big advantage if you face a breach and need support with incident response/digital forensics. Experienced SOC analysts can quickly leverage XDR to develop an attack story that goes far beyond merely stopping the breach. Managed XDR lets you identify all the places the attacker went and what they compromised, ensuring that you can fully stop the breach and recover data more quickly.

To learn more about how Managed XDR service can secure your environment without additional staffing, contact us today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.