What is an Incident Response Plan (IRP)? (appTECH TALK Ep. 4)

Let’s face it.  If you haven’t had a security incident within your organization, you will.  Are you prepared?  An IRP is a plan or playbook that needs to be established and practiced on a normal basis.  When a breach happens, this is your playbook of who, how, and what steps to take to protect your organization and minimize impact. Let’s break down the steps of an Incident Response Plan (IRP). 

Prepare

This is by far the most important phase of the entire IRP.  The prep phase is the phase that ensures all employees are trained in their individual responsibilities when an incident occurs.  This involves training and tabletop exercises.  Each training and simulation exercise should be looked at closely.  Any gaps in the exercise should be closed.  This is the time to practice and make your plan as streamlined as possible.

Identify

Typically a breach is discovered four different ways.

• Internally (antivirus, IDS, system anomalies, etc)
• Informed by the bank (bank’s customers reporting fraud)
• Law enforcement (informed while investigating a stolen credit card)
• Multiple customer complaints to the organization

Contain

Now that we have discovered the breach, it is important to contain it.  Containing it, or minimizing the spread and impact, may be as simple as taking a single system offline or as complex as taking an entire network segment offline.  Containment should happen as quickly and efficiently as possible.  The Prepare phase should already have the team prepared on several different scenarios that are possible.  The more scenarios practiced from the playbook, the more streamlined and efficient the containment process should be.

Eradicate

This phase is extremely important.  It involves eliminating any malware, leaks, unpatched systems, or even hardening systems.  This phase is important because if not done properly, the problem will keep duplicating itself and your organization will find itself in a loop.  As well, policies and procedures need to be looked at so that the root of the problem can be found.  For example, if system hardening policies are not enforced when systems are being built, this would be an area that needs to be remediated.

Recover

Recovering involves turning systems back on: plugging devices back into the network, or even opening the network segment that was closed off during the containment period.  Once systems are put back online, they should be monitored extremely close to ensure that reinfection is not happening.  It is important that this phase is completed with the confidence that eradication has been completed.

Review

After the previous steps have been completed, it is important to meet with your team and have an open conversation about what happened.  Conversations about “lessons learned” should be open conversations from all team members.  This is the time to talk about things that occurred that were not included in the plan, playbook, or tabletop exercises.  The review phase is used to make your IRP even stronger for the next incident that occurs.

No plan should ever be viewed complete or final.  An IRP is an ongoing and evolving plan that should be looked at and revised often.  As threat and risk changes, the IRP should change and align with it.

If you would like to have an IRP built for your organization, reach out to us at or 888-277-8320.

Mike Miller is a cybersecurity professional with 25 years of experience through the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.