This template was developed by the team at Counteractive Security, to help all organizations get a good start on a concise, directive, specific, flexible, and free incident response plan. Build a plan you will actually use to respond effectively, minimize cost and impact, and get back to business as soon as possible.

The latest release

The layout is as follows:

• during.md: the core of the plan, actions taken during an incident response.
• playbooks/: a folder containing playbooks with investigation, remediation, and communication suggestions for specific incidents. Create playbooks for any incidents that are highly likely or highly damaging for your organization. playbooks/index.md contains the playbook section header content, and each playbook should follow the convention playbooks/playbook-[THREAT].md.
• roles/: a folder containing descriptions of each role in the plan, along with duties and training notes. index.md contains the roles section header content, and each role should follow the convention playbooks/role-[ORDER]-[NAME].md.
• after.md: the guide to after-action review (a.k.a., hotwash, debrief, or post-mortem)---actions taken after an incident response.
• about.md: a footer containing information about the plan/template as a whole.
• info.yml: a file containing values for the template strings throughout the plan (see below)

The template files have a lot of placeholders that {{LOOK_LIKE_THIS}}. The purpose of each placeholder should be discernable from context, and the default info.yml file is commented for additional clarity.

This is the mustache template syntax, and has wide support in a variety of tools and languages. The easiest way to replace these is to customize the info.yml file with your organization's information and use the provided makefile (as of v1.0.0) to automatically find and replace all the relevant strings. In your terminal of choice (use WSL on Windows), type:

make

If you don't have the information or tools referenced in the template variables, consider fixing that. Especially the critical information list (data you want to protect) and critical asset list (systems you want to protect).

This merges the template components, combines them with your custom data from info.yml, and outputs all supported formats in the public/ directory. That's it.

If you have a specific case and want more details, read on!

1. Review all the TODO prompts for likely areas to customize, if desired. Delete them if no changes are required.
2. Add any roles or playbooks relevant to your organization. These can also be added over time.
3. Customize anything else! Whatever you feel is most effective for your organization.

The makefile uses pandoc to create a variety of formats, or you can use the markdown files with mkdocs, hugo, or countless other platforms.

An example is available in the examples directory, where we leave the html rendering from markdown to github.

For professional assistance with incident response, or with customizing, implementing, or testing your plan, please contact us at [email protected] or (888) 925-5765.

This template is provided under the Apache License, version 2.0. See the LICENSE and NOTICE files for additional information.

• Awesome Incident Response
• NIST Computer Security Incident Handling Guide (NIST)
• CERT Societe Generale Incident Response Methodologies
• Incident Handler's Handbook (SANS)
• Responding to IT Security Incidents (Microsoft)
• Defining Incident Management Processes for CSIRTs: A Work in Progress (CMU)
• Creating and Managing Computer Security Incident Handling Teams (CSIRTS) (CERT)
• Incident Management for Operations (Rob Schnepp, Ron Vidal, Chris Hawley)
• Incident Response & Computer Forensics, Third Edition (Jason Luttgens. Matthew Pepe. Kevin Mandia)
• Incident Response (Kenneth R. van Wyk, Richard Forno)
• The Checklist Manifesto (Atul Gawande)
• The Field Guide to Understanding Human Error (Sidney Dekker)
• Normal Accidents: Living with High-Risk Technologies (Charles Perrow)
• Site Reliability Engineering (Google)
• Debriefing Facilitation Guide (Etsy)
• Every Minute Counts: Leading Heroku's Incident Response (Blake Gentry)
• Three Analytical Traps in Accident Investigation (Dr. Johan Bergström)
• US National Incident Management System (NIMS) (FEMA)
• Informed's NIMS Incident Command System Field Guide (Michael J. Ward)
• PagerDuty IR Docs
• NIST 800-61r2
• NIST CSF
• CSO Online 10 Steps (June 2017) and CSO Online 9 Steps (July 2016)
• SecurityMetrics blog 6 Steps to Making an IR Plan
• Cal Berkeley IR Plan Development
• EPA IR Plan
• incidentresponse.com playbooks

• After Action, lessons learned, process improvement
• Recovery
• Ransomware playbook
• Easier build process
• Measures and Metrics
• Business priorities
• Testing procedure
• Communication and escalation tree, including executives
• Finance and budget
• Continuing to enhance modularity ("puzzle-piece" approach)

• Added makefile and temporary directories to ease the build process

• Renamed .yaml files to .yml
• Updated README