The SMB Incident Response Runbook We Actually Use

Incident response (IR) plans, often voluminous and meticulously detailed, frequently fall short precisely when they are needed most: during the chaotic and high-stress initial phases of a security incident. The reality is that under duress, lengthy documents are rarely consulted effectively. Decision-makers and technical staff alike gravitate towards clear, concise directives. Recognizing this, our approach at Delphiant Consulting Inc. for Small and Medium Businesses (SMBs) distills the critical first steps into a practical, one-page runbook designed to guide actions during the initial 90 minutes of an incident. This focused resource ensures clarity and efficiency when it matters most, preventing common missteps that can exacerbate an already challenging situation.

The First 90 Minutes: Critical Actions and Considerations

The immediate aftermath of a security incident is characterized by rapid decision-making under intense pressure. Our runbook concentrates on channeling this urgency into structured, actionable steps, addressing both technical and organizational imperatives. The six key directives outlined below are designed to establish control, preserve crucial evidence, and manage initial communications effectively.

1. Declare and Appoint an Incident Commander: The very first step is to formally declare an incident and, critically, appoint a single, undisputed Incident Commander. This individual becomes the central authority for all decisions and communications related to the incident. Diffusion of responsibility or a lack of clear leadership in the early stages can lead to conflicting actions, missed steps, and general disarray, significantly hampering response efforts. The Incident Commander's role is to maintain situational awareness, prioritize actions, and ensure the team remains focused on the established objectives.

2. Establish a Dedicated "War Room" Communication Channel: Immediately upon declaration, a dedicated, secure communication channel, often referred to as a "war room", must be opened. This channel, which could be a specific chat room, a conference bridge, or a virtual collaboration space, serves as the central hub for all incident-related information, discussions, and decisions. Crucially, every significant action, observation, and decision made within this channel must be time-stamped. This meticulous record-keeping is vital for post-incident analysis, legal proceedings, and demonstrating due diligence to regulators and insurers alike.

3. Notify Legal Counsel and Cyber Insurance Provider: Proactive notification of legal counsel and your cyber insurance provider is a non-negotiable step. Many cyber insurance policies and legal frameworks include strict timelines, often requiring notification within 24 hours of incident discovery. Delaying this notification can jeopardize policy coverage or incur legal penalties. Legal counsel can provide invaluable guidance on regulatory reporting obligations, potential liabilities, and privileged communications, while the cyber insurance provider can initiate support services and begin the claims process, often covering significant response costs.

4. Prioritize Evidence Preservation Before Remediation: A fundamental principle of incident response is to preserve evidence before undertaking any extensive remediation efforts. Actions taken in haste to "fix" the problem can inadvertently destroy valuable forensic artifacts. This involves capturing various forms of digital evidence:

   • Disk Images: Create bit-for-bit copies of affected hard drives to allow for offline analysis without altering the original.
   • Memory Captures: Extract the contents of volatile system memory, which can contain critical clues such as running processes, network connections, and decrypted data that would be lost upon system shutdown or reboot.
   • Log Exports: Securely export all relevant logs from compromised systems, network devices, and security tools. These logs provide a chronological record of events, user activity, and system states. Failing to preserve this evidence can severely hinder forensic investigations and attribution efforts.

5. Strategically Contain the Threat. Do Not Power Off: Containment is a critical phase aimed at limiting the scope and impact of the incident. The default instinct to power off affected systems, while seemingly logical, is often detrimental. Powering off a system destroys volatile memory, which, as noted, contains invaluable forensic data. Instead, the focus should be on isolation:

   • Disconnecting compromised systems from the network.
   • Blocking malicious IP addresses at the firewall.
   • Disabling compromised user accounts. The goal is to prevent further unauthorized access or data exfiltration while keeping the system in a state where memory and other volatile artifacts can still be acquired. Proper isolation buys time for thorough evidence collection before more disruptive remediation steps are taken.

6. Manage Internal and External Communications with a Unified Voice: Communication during an incident must be carefully controlled. The initial priority is to communicate internally to relevant stakeholders, informing employees of the situation without causing undue panic or speculation. For external communications, whether to customers, partners, or the public, it is paramount to designate a single spokesperson. This ensures that all official statements are consistent, accurate, and aligned with legal and public relations strategies. Multiple voices or conflicting messages can erode trust and complicate damage control, potentially turning a technical incident into a public relations crisis.

Conclusion

The initial 90 minutes of a cybersecurity incident are decisive. A well-rehearsed, concise runbook empowers organizations, particularly SMBs with limited dedicated security staff, to navigate this critical window effectively. By adhering to these six core principles, clear leadership, disciplined communication, proactive notification, diligent evidence preservation, strategic containment, and controlled messaging, organizations can significantly improve their incident response posture, mitigate potential damages, and streamline the path to recovery. Our experience demonstrates that clarity and conciseness, especially under duress, are the most powerful tools in an incident responder's arsenal.