There is no preset template for an incident response plan—multiple security events and responses often occur simultaneously and overlap. A security incident response plan is a requirement for organizations but should not be considered static. The approach to incident response is dynamic, so the methods used to automate incident response tasks should be as well.
This article describes the phases of a dynamic approach to incident response (DAIR), a framework to design a security incident response plan by leveraging analytics and automation. We break down each phase into what happens and how security orchestration and automation can assist with each step.
Typical phases in a dynamic approach to incident response (DAIR) plan
This article explores how your organization can implement each phase of DAIR, which defines a pattern to automate the steps in a security incident response plan template.
Dynamic approach to security incident response planning: A template for automation
Here’s a detailed explanation of the phases of DAIR.
Prepare
Preparation limits an incident's effects and damage. Preventative measures include asset inventories, policies, procedures, baselines, employee training, tabletops, incident response plans, and threat intelligence.
The success of the preparation phase in DAIR depends on your company's security governance processes and how well you know the business. You must understand what is essential to the business and its risk appetite—how much risk are they willing to take on?
Preventative measures for incident response (source)
You can't protect your assets if you don't know what you own. It is not a coincidence that the Center for Internet Security Controls (CIS) controls are ordered by importance, and the first three require hardware, software, and data inventories.
Policies set the tone for security in an organization; procedures guide how to turn policies into action items. Baselines represent a system's normal state. Security and network teams should investigate any deviation from the baseline as an indicator of compromise (IOC). Security training will spread awareness and empower employees to recognize threats and adopt best practices.
Tabletops and incident response plans help teams prepare for real-life incidents. Tabletop exercises (TTXes) reveal gaps in current incident response strategies and give teams confidence in handling an actual incident. Most frameworks require a TTX at least once a year, but when it comes to a full-time cybersecurity incident response team (CIRT), the more tabletops, the merrier. Practice makes perfect: Michael Jordan didn't win six championships without practicing.
Security assessments are a proactive approach to responding to potential incidents. All organizations with mature security programs pick a framework that works for their organization, such as NIST 800-53, CMMC, RMF, CSF, HITRUST, or HHS SRA. They then assess their controls against the recommended ones to prevent security incidents and maintain good security hygiene. You can't stay clean from yesterday's shower.
Workflow orchestration and automation for security teams
- No code or low code - no custom development necessary
- Integrates with all your systems - internal and external
- Built-in safeguards like credential management and change control
Workflow Orchestration and Automation
Teams use threat intelligence feeds to stay current on the latest exploits in the wild and to receive up-to-date information on indicators of compromise. Threat intelligence feeds aggregate data from different sources, normalize it, and then deliver it to security teams, which integrate these feeds into their existing infrastructure (IDS, SIEM, firewalls, and EDRs).
One way for teams to automate this process is by using a platform like Tines. Tines will pull data from multiple threat intelligence feeds, correlate data with internal logs, trigger actions based on IOCs—such as updating firewall rules, blocking IPs, and alerting personnel—and continuously monitor for new threats. The CSIRT can use these same response methods to document incident response playbooks.
The simplest aspect of security assessments that teams can automate is vulnerability scanning. Tools such as Tenable Nessus scan endpoints, Wiz checks containers and infrastructure as code (IaC) configurations, and Checkmarx analyzes source code (SAST).
Monitor security advisories
Stay on top of new security vulnerabilities, remediation strategies, and applicable updates for the affected software.
Tools
Detect
Since the rise of AI, user and entity behavioral analytics (UEBA) have taken over the detection phase of DAIR. UEBA can detect unknown threats that signature-based approaches miss since the detection tools now respond to irregularities in behavioral baselines. Detection can consist 100% of workflow orchestration and automation and artificial intelligence.
Endpoint detection and response (EDR) systems monitor and analyze endpoints like desktops, laptops, and servers to detect and respond to threats. They integrate with other security tools to provide visibility into indicators of compromise (IOCs) and possible remediation. Similarly, NDRs monitor networks. Darktrace dominates the NDR market.
Web application firewalls (WAFs) protect web applications by filtering and monitoring HTTP/S traffic between them and the Internet, blocking malicious requests based on predefined security rules. Even WAFs can leverage workflow orchestration and automation by integrating with threat feeds and imposing automatic rule updates.
Security information and event management (SIEM) solutions provide centralized logging. Automated log analysis and alerting capabilities enable SIEMs to detect irregularities and potential IOCs. UEBA has reduced false positives and alert fatigue since there is an established behavioral baseline.
Intrusion detection/prevention systems (IDS/IPS) monitor network and endpoint traffic for suspicious activities and known attack patterns. Tools such as Snort and Suricata are open-source and signature-based and there is a trend toward combining detection tools together.
Verify
The first step in responding is always to verify the incident. Verification requires a thorough examination to determine whether an alert or IOC is a genuine security incident or a false positive. It involves analyzing logs, monitoring network traffic, and assessing system integrity to gather enough evidence for an informed decision.
Organizations cannot automate certain aspects of verifying this phase; it requires a security expert to differentiate between false positives and actual threats. Verification may require inspecting packets and reading hex code to find regular signals, meeting with a vendor to confirm that a new module is legitimate, or confirming an IP anomaly because an executive is traveling.
However, workflow orchestration and automation can filter alerts, correlate events, and prioritize based on criticality. The previous section covers automation techniques to reduce false positives and alert fatigue.
See Tines’ library of pre-built workflows
Scope
Lateral movement describes the actions threat actors take to move throughout a network. There are many ways to do this, and the moves can blend in with legitimate traffic. Scoping to determine where the threat is and has been in a network is essential to contain the incident.
The scope of an incident may change as it progresses. It is necessary to scan the environment for more IOCs. Scoping an incident will be easier the more detection mechanisms and filtering capabilities an organization has. Creating scripts to monitor the environment for known IOCs will be helpful in this phase.
Here is an example of tcpdump filtering for a host IP in a packet capture. The host could be the threat actor who penetrated the network.
tcpdump -n src host <IP_ADDRESS>Contain
The goal of containment is to prevent a threat from operating inside a compromised network. Failure to properly scope an incident will prevent it from being adequately contained.
A CSIRT team may contain an incident by isolating and patching systems, network segmentation, eliminating backdoor access, account disabling, using network filtering devices, changing DNS entries, etc. Like the previous phases, containment may help simultaneously reach other goals, such as eradication.
Security orchestration, automation, and response (SOAR) is a process and platform security teams use to automate containment. SOAR creates automated playbooks to respond to incidents. The playbooks can outline step-by-step instructions for responding to specific incidents, such as isolating systems or blocking malicious IP addresses.
You are probably picking up on the pattern that all incident response template phases intertwine, so taking a dynamic approach and automating along the way will make the entire process go more smoothly.
Eradicate
When CSIRT members eradicate an incident, they undo the threat actor's actions. Where containment stops malicious activities, eradication removes them. Eradication and recovery often will achieve similar goals. Examples of activities that remove malicious activities:
Restoring systems from trusted backups
Removing malware, backdoor processes, and accounts
Patching
Restoring source code to a version before compromise
Backups and version control are some of the most important things a company can use to protect itself from malicious activities. James Cooker reported 574 ransomware attacks in December 2024. According to this article, 30% of the ransomware attacks come from phishing and 30% from compromised accounts.
Besides employee training, backups are essential for protecting your organization against ransomware. Regular and secure backups ensure that teams can restore data. Companies like Veeam and Rubrik offer automated backup solutions.
Malware removal is another part of eradication. Removing malware may require scanning all endpoints, servers, and network devices. Workflow orchestration and automation platforms like Tines can provide automation, but a seasoned security professional must confirm complete removal.
Restoring source code to a version before a compromise is common. This involves reverting to a clean version of the codebase that security teams knew to be unaltered. Companies often have release management teams integrated into DevOps. Version control allows release managers to create branches for new features, bug fixes, and quality assurance testing before merging into a main branch. Luckily for security teams, version controls help eradicate incidents that involve polluting source code.
Recover
Containing, eradicating, and recovering are all components of DAIR, but they are often not sequential and co-occur. Recovery, specifically, focuses on restoring systems to their normal operational status after a security incident. Recovery requires rebuilding the system and is purely focused on business impact and operations.
Rebuilding the system from scratch is almost always the safest way to restore it, but it is not always possible. Incident responders may have to reformat system drives, change Terraform files, reinstall secure software, restore data, and harden the system so it isn't vulnerable again. After building a new image in Terraform for a cloud system, tools such as Ansible, Puppet, or Chef will allow automated installation.
Companies should bring systems online during non-peak hours. It will be easier to monitor changes when there is less network activity. However, the decision will ultimately be up to the business.
Retrospective
Also known as a lessons-learned retrospective or post-mortem, a retrospective after a security incident is a way to document lessons learned during the incident and make changes to reduce the mean time to recovery (MTTR) of future incidents. By analyzing how the team worked together, CSIRTs can identify strengths and weaknesses to improve efficiency.
In addition to identifying what went well and what didn't and updating documentation, teams can automate the retrospective process by sending anonymous surveys to all stakeholders involved in the incident. Survey feedback can reveal overlooked issues.
A well-executed retrospective will document what happened and transform insights into actionable improvement.
Did you know Tines' Community Edition is free forever?
- No code or low code - no custom development necessary
- Integrates with all your systems - internal and external
- Built-in safeguards like credential management and change control
Last thoughts
Incident response plans must be dynamic and adaptable. DAIR includes these key phases: Prepare, Detect, Verify, Scope, Contain, Eradicate, Recover, and Retrospective:
Preparation focuses on preventative measures: threat intelligence, asset inventories, policies, employee training, and tabletop exercises. Teams can automate through threat intelligence feeds and security scans.
Detection is best done with user and entity behavioral analytics rather than a signature-based tool. EDR, NDR, SIEM, and IDS/IPS enhance automated detection capabilities. The detection phase can be almost entirely automated.
Verification of incidents requires thorough investigation.
Containment prevents threats from continuing in compromised networks through isolation and patching.
Eradication restores systems from backups, removes malware, and applies patches, with backups being the most crucial for recovery.
Recovery restores operations by rebuilding systems, employing reformatting and hardening.
Retrospectives make incident response teams more efficient and less burnt out and reduce the MTTR.
All of these phases, except verification, can use workflow orchestration and automation to make CSIRTs more efficient.