How to Be Proactive About Incident Response

8 minute read

February 2023

Let’s face it, the threat of cyber attacks is a constant concern. No matter what you do, the concern of what’s next never goes away.

And if protecting your own hardware and software systems wasn’t enough, then you have to consider the substantial risk posed by your third parties. “Third parties” is an all-encompassing term, and can include vendors, suppliers, service providers, and others that have access to your data and/or systems. Third-party risk is a vulnerability brought about by external parties within your ecosystem.

Not if, but when these third-party attacks do occur, having the proper data to tell you where to look first is vital to minimizing damages. In addition, having the insights of knowing where your risks lie proactively before these incidents will help you contain the impact. Don’t wait for disaster; having an incident response plan is critically important. 

In this article, we’ll talk about incident response industry frameworks, proactivity versus reactivity, how cyber attacks affect organizations, and how to evaluate your most critical third-party risks.  

What Is an Incident Response Plan?

An incident response plan is an outline for action when your organization is a victim of a cyber attack. There is no one size fits all incident response, but the National Institute of Standards and Technology (NIST) and SysAdmin, Audit, Network, and SANS Security Institute have industry-standard frameworks that we can follow when creating an incident response plan. 

The NIST has a life cycle with four steps which are:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Recovery
  • Post Incident Activity

The SANS includes six steps which are:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

So, what do these steps really mean? Let’s dive into it. 

Preparation (NIST/SANS)

Preparation is part of proactivity with incident response. It includes creating an incident response team, considering strategy for your organization, creating your access controls, and gathering backup or evidence-collecting materials that could be useful for attacks.

While some of these options may seem self-explanatory, thinking critically about these actions can improve your incident response. For example, it may seem obvious to put your IT staff on your incident response team, but there are also benefits to a team with additional perspectives and skills. Cyber attacks involve a diverse set of problems, such as reputational damages, financial ramifications, and legal issues. As such, think about including HR managers, PR managers, attorneys, and accountants in your preparations.

Detection and Analysis (NIST) / Identification (SANS)

The next phase of incident response includes identifying current attacks or planning for future identification. Remember, though, attacks are creative and difficult to predict. By “planning,” we mean understanding attacks categorically and creating a baseline strategy. 

There are two types of signs for an incident, a precursor or an indicator. Precursors are warnings for a future attack, while indicators are signs that an attack is either currently happening or has already occurred. 

An example of a precursor could be a threatening email or web server log entries that show the usage of a vulnerability scanner. 

An indicator could be a notification that a certain IP address is failing to log in multiple times, a large number of bounced emails with suspicious content, or antivirus software alerts.

As you might have guessed, not every indicator necessarily means there is an attack. But, consistently and thoroughly keeping up-to-date logs about all activity, understanding normal behaviors, and researching errors can help you understand each indicator better.

Incident Containment, Eradication, and Recovery 

Now, let’s talk about reactive measures you can take if your organization is an unfortunate victim of a cyber attack. To do so, let’s start with the three phases of containment: short-term containment, system backup, and long-term containment.

Short-term containment

Short-term containment is limiting the damage as soon as possible. As the name suggests, short-term containment is only a short-term solution to prevent further damage. 

System backup 

System backup is taking a forensic image of the affected system(s). This is necessary for gathering evidence about the incident. System backup is extremely important for the future. Not only can it assist you with pressing legal charges, but it can also be a reflection tool for your team to prevent further attacks. 

Long-term containment

Long-term containment involves fixing unaffected systems so they can continue to be used while your team moves forward with resolving the attack. Completely resolving the attack can take days or even months, so you don’t want (and likely can’t afford) your organization to have to shut down during this time. Long-term containment makes sure that software that was not attacked can continue to run normally without a threat. 

When applying containment practices, this can be a good time to go back to the strategy you made during proactive preparation. What are your top priorities or damages? Are you mostly concerned with losing data? Damaging your reputation? Loss of both productivity and revenue?

A little side note—containment does not mean hiding the problem. Try putting yourself in the shoes of those who are having their information breached, especially when thinking about trust and future relationships.


Eradication is the action of removing all components of the incident. After containing the attack, eradication is the time when you reimage systems, fully fix the vulnerabilities, and remove the attacker.


Recovery is when you can bring affected systems back to normal production. When recovering, you want to ensure protection from another incident. Testing, monitoring, and validating systems can all be ways to make sure your systems are safe and the threat is eliminated.

Post Incident Activity (NIST) / Lessons Learned (SANS)

Have you ever heard the phrase, “Fool me once, shame on you, fool me twice, shame on me?” That well-known phrase can also be applied to cyber attacks. It’s important to use the attack as a learning experience that can give you insight into a future incident response plan. 

Now is the time to review documentation from before, during, and after the attack. Discuss and reflect on your strong points and where you could improve. Making this an open conversation with your entire organization will be beneficial to ensure transparency.

Why Are Incident Response Plans So Critical for Organizations?

We can’t emphasize enough how unpredictable and quick cyber attacks are, especially when originating from third parties. When a third party is breached, time is a valuable part of responding and minimizing damages. An incident response plan is a tool for controlling the spread of the breach and reducing the damages. 

Why are these plans so important these days? Failure to manage third-party risks can potentially lead to lost sales, lost data, regulatory action, damage to your reputation, and loss of customers. In fact, research by McKinsey shows a data breach may cause up to 10% of customers to seek a new supplier. And breaches impact your bottom line, too– IBM Security’s Cost of a Data Breach Report 2022 cites the average cost of a data breach is $4.35 million. In short, dealing with a third-party cyber attack can be expensive in terms of costs, time, legal fees, and similar. 

Unfortunately, damage from a third-party cyber attack is inevitable, so when one of them is breached you need to know about the incident quickly and understand how best to respond to it. For instance, fast-acting containment and open communication between your organization and its third parties will play a role in how well you recover. The bottom line is that businesses that have a detailed and well-thought-out incident response plan will be better off when faced with a breach. 

Being Proactive About Incident Response

Your incident response plan is a necessary reactive strategy to a cyber attack. But proactive strategies are also important to contain and mitigate damages when a third-party breach occurs. So how can you put proactivity into action when responding to an incident?

Categorize and Prioritize Your Biggest Vulnerabilities

When you have a lot of third parties– and the average organization has around 6,000– it’s just not possible nor is it practical to assess every one. The key is to identify which ones pose the greatest risk and understand the downstream impact if one of these third parties were to experience a cyber incident.  For example, CyberGRX’s Auto-Inherent Risk technology provides contextualized and automated risk insights based on your specific relationship with a vendor. These insights allow you to instantly create and prioritize a risk mitigation and assessment strategy. Auto-Inherent Risk Insights also allow for vendor benchmarking across industries, ecosystems, and similar vendors in the CyberGRX Exchange.

And CyberGRX’s Framework Mapper tool allows you to map assessment data to the industry framework of your choice or apply a threat profile. Threat profiles focus on real-life attacks and enable you to view individual third parties and their coverage of specific controls being exploited, as identified by the MITRE ATT&CK framework. When you know where the weaknesses are, you can work with your third party to proactively address your concerns.

Continuously Monitor Your Third Parties

Continuous monitoring of third parties is important to effectively manage risk and maintain compliance, security, and reputation. Additionally, being able to view the current status of your third party’s security posture as well as being alerted when it changes helps you to detect and respond to emerging security incidents quickly, reducing the risk of a data breach or cyberattack spreading. That’s why CyberGRX Risk Monitoring & Alerting capabilities give you automatic alerts to third-party risk exposures within your portfolio in near real-time. This provides visibility to vital information and context needed to assess the possible impact on your business and collaborate with the affected third party to assess and manage the risk. Learn more about CyberGRX Third-Party Threat Tools.

Failing to Plan is Planning to Fail

There is no one way to go about creating an incident response plan. It’s up to you to determine how you want to use proactivity and reactivity in your incident response plan. Most importantly, putting time and effort into planning for third-party risks and attacks is crucial.  Cybercriminals are constantly evolving, so the need to continuously plan and research should never end. 

Interested in seeing your third-party risks and vulnerabilities? When you book a no-obligation demo, we’ll ask you for a list of your third parties, we’ll upload them into our Exchange, then we’ll show you the risks that they pose to you. Knowledge is powerful; see your risk blind spots. Book a demo now.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit