How to create an incident response plan: A guide for MSPs

When it comes to responding to a cyber incident, every second counts. Developing a comprehensive incident response plan before an incident occurs ensures that you’ll be prepared to take control of the situation, respond appropriately and take swift action to limit the impact of the attack.

Step 1: Understand the client

Before you start working on the project, take some time to map out your client's IT setup and figure out the most important assets. It's like a risk assessment. Which systems, services, and applications are super important to get back up and running if something goes wrong? Which data storage areas are most crucial to your client and a potential attacker? What level of risk is acceptable given their tech and budget constraints?

Stay objective and ask your client to be honest about any potential weaknesses. Knowing exactly what's important in their IT systems will help you respond in the most effective way possible.

Step 2: Build your team

Once you've done the risk assessment of your client, it's time to put together your team. This is the group of people who will be in charge of responding to an incident and making sure the response plan is executed properly. Some MSPs might be able to handle this with their own staff, but most will need to bring in outside experts to help out. One of the most important things you'll do is coordinate everyone involved in the response.

As an MSP, your role will mostly be to organize the response rather than doing the actual work yourself. You'll also be the go-between for your client and the specialists on your team, managing the technical side of things and keeping your client updated on what's happening.

Step 3: Define response procedures

Once you’ve assembled your team, you’ll need to define your response procedures. These are the step-by-step actions that need to be taken in the event of an incident to remediate the problem and restore your client’s systems to normal operation. You’ll also need to define timeframes, including response and resolution times.

Given that organizations may generate hundreds or even thousands of security alerts each day, MSPs should aim to automate incident response tasks wherever possible (automated response tools and procedures should also be detailed in the incident response plan).

However, while automated tools can help alleviate repetitive tasks to a certain extent, manual, human intervention will be necessary at times to investigate alerts and analyze computer-generated data. As such, an incident response plan must specify which members of the response team will be notified, when in the response chain they’ll be contacted and the communication channels that will be used with stakeholders.

Response procedures should always be tailored to the needs of the individual client, but may include the following steps:

• Notify the appropriate members of your response team and the client’s stakeholders.
• Assess the situation.
• Collect as much information as possible.
• Determine the extent of the incident.
• Isolate and evaluate the affected systems.
• Create backs up of the affected systems.
• Preserve logs and details of the breach for further analysis.
• Remediate the incident.
• Restore the affected systems and monitor for stability.
• Address the vulnerability that allowed the incident to occur.
• Assist the client with the technical aspects of public statements or data breach notifications, which may be legally required.

Step 4: Remember to protect yourself

Your incident response plan shouldn't just focus on helping your clients - it should also cover how you'll protect your own business. Depending on what happens, you could face legal trouble or damage to your reputation. Plus, the companies you work with are often much bigger than your MSP. That's why your plan needs to include things like:

• The contact details of your insurance provider.
• The contact details of your legal team.
• The contact details of law enforcement.
• How to communicate with your clients (e.g. who to contact, the preferred method of contact, timeframes, etc.).

Step 5: Test, test, test

Creating an incident response plan is one thing, but actually carrying it out during a real emergency is a whole other ball game. That's why you need to test your plan.

Pick a cyber event and follow your plan step-by-step. This will help you see how well your team can handle the pressure and uncover any weak spots in your response chain. Make sure to review and update your plan regularly, at least once a year.

After a real incident, do a thorough review to find areas where you can improve. Use what you learned during the event and the review to update your incident response plan.

Step 6: Keep the plan up to date

The threat landscape is always changing and your clients' needs are too. That's why your incident response plan shouldn't be a static document. You need to update it regularly to reflect any recent changes that might affect how you respond to threats.

For example, you might need to update contact info if someone leaves the company or change your processes if you add a new forensic tool to your toolkit. If your plan has outdated or incorrect info, it could really hurt your ability to respond to and contain threats.

So make sure you're always reviewing and updating your plan to minimize the risk of any problems.

Conclusion

When it comes to cybersecurity, it's best to prepare for the worst. Even if you try your best to keep a client's system secure, there's no such thing as absolute security. That's why you need a solid incident response plan. It'll help you and your clients handle a breach, stop the threat, and restore the affected systems quickly. Remember, being prepared is key.