Skip to content

Incident Response Plan

Compliance: GDPR (Art. 33-34), HIPAA (45 CFR §164.400+), ISO 27001 (A.16), NIST-800-53 (IR-1 through IR-9)

1. Overview

1.1 Purpose

This plan defines BeDefended's process for: - Detecting security incidents - Responding rapidly to minimize impact - Notifying authorities and affected parties - Learning from incidents to prevent recurrence

1.2 Scope

Incidents Covered: - Unauthorized access to systems/data - Data exfiltration or loss - System compromise (malware, APT) - Denial of Service (DoS/DDoS) - Insider threat/data theft - Third-party vendor breach - Compliance violations (accidental ePHI disclosure, etc.)

Not Covered: - Non-security operational issues (server downtime, bugs) - Requests from law enforcement (handled per Section 5)

1.3 Key Metrics

SLA Target
Detection Time < 4 hours (automated alerts)
Triage < 24 hours
Notification (Low Risk) < 72 hours
Notification (High Risk) < 24 hours
Notification (HIPAA Breach) < 60 days (HHS)
Root Cause Analysis < 7 days
Remediation < 30 days

2. Incident Response Team (IRT)

2.1 Roles & Responsibilities

Incident Commander (IC)

Role: Overall incident coordination and decision-making - Declares incident severity - Initiates response - Escalates to management/legal/privacy - Communicates with external parties - Primary: Chief Technology Officer - Backup: VP Engineering

HIPAA/Privacy Officer

Role: Compliance and data protection - Determines if HIPAA breach occurred - Notifies HHS, state AGs, individuals - Coordinates with legal - Manages GDPR/HIPAA-specific notifications - Primary: privacy@bedefended.com - Backup: Chief Compliance Officer

Forensics & Investigation

Role: Technical investigation and evidence preservation - Collects logs, network packets, memory dumps - Determines attacker TTPs - Preserves evidence for law enforcement - Conducts root cause analysis - Primary: Senior Security Engineer - Backup: Infrastructure Team Lead

Communications

Role: Internal and external communications - Notifies internal teams (eng, ops, client success) - Drafts statements for clients/media - Manages customer communications - Coordinates with PR/legal - Primary: Chief Communications Officer - Backup: General Counsel

Operations

Role: System remediation and recovery - Isolates compromised systems - Applies patches/fixes - Restores from backup if necessary - Rebuilds systems if needed - Primary: VP Operations - Backup: DevOps Lead

2.2 Incident Response Hotline

  • Email: incident@bedefended.com (monitored 24/7)
  • Phone: [+39 INCIDENT HOTLINE] (manned during business hours, voicemail after-hours)
  • Slack: #incident-response (internal)

3. Incident Classification

3.1 Severity Levels

CRITICAL (P1) — Immediate Response Required

  • ✗ Active data exfiltration confirmed
  • ✗ Multiple systems compromised
  • ✗ Production systems down (RTO < 4 hours)
  • ✗ ePHI breach confirmed (affects 500+ individuals)
  • ✗ External attacker actively in systems

Response: Declare incident immediately; IRT assembles within 1 hour

HIGH (P2) — Urgent Response

  • ⚠ One system compromised (not critical)
  • ⚠ Data loss/corruption confirmed but limited scope
  • ⚠ Malware detected but contained
  • ⚠ ePHI breach affects < 500 individuals
  • ⚠ Service degradation (RTO < 24 hours)

Response: IRT assembles within 4 hours

MEDIUM (P3) — Standard Response

  • △ Unauthorized access detected but no data loss
  • △ Vulnerability discovered in non-critical system
  • △ Failed intrusion attempt (blocked by WAF)
  • △ Policy violation by staff (accidental)

Response: IRT meets within 24 hours; investigation timeline 7 days

LOW (P4) — Information/Logging

  • ○ Non-security operational issue
  • ○ Suspected false-positive alert
  • ○ No evidence of actual compromise

Response: Log and monitor; no formal IRT meeting required

3.2 Classification Criteria Matrix

Criteria CRITICAL HIGH MEDIUM LOW
Scope Multiple systems Single system Non-critical Non-security
Data Affected >500 records 1-500 records <100 records None
Confidentiality Risk High/Certain Medium Low None
Attack Status Active Contained Isolated N/A
Business Impact Major Moderate Minor None

4. Incident Response Workflow

Phase 1: DETECTION (0-4 hours)

4.1 Detection Methods

  • ✓ Automated alerting (IDS/IPS, WAF, SIEM)
  • ✓ Audit log anomaly detection
  • ✓ Failed login patterns (5+ from same IP → alert)
  • ✓ Unusual API usage (>1000 req/min from single user)
  • ✓ Data export alerts (>100 records downloaded in <1 minute)
  • ✓ Manual report (staff, security researcher, customer)
  • ✓ Third-party notification (vendor breach disclosure, threat intel)

4.2 Initial Response

Upon incident discovery: 1. Document discovery: Who, when, how detected, initial details 2. Preserve evidence: Do NOT immediately shut down systems - Enable logging (if not already) - Snapshot running processes - Collect network traffic (tcpdump if available) 3. Notify Incident Commander: Call/page immediately if P1 4. Classify severity: Use Section 3 matrix 5. Assemble IRT: Based on severity

4.3 Detection Confirmation

  • Validate alert is not false-positive (e.g., legitimate traffic pattern)
  • Confirm systems are actually compromised/affected
  • Document confirmation method (log review, manual testing, etc.)

Phase 2: TRIAGE & INVESTIGATION (4-24 hours)

4.4 Scope Assessment

Forensics team determines: - What happened? (attack type: breach, malware, unauthorized access) - When did it occur? (initial compromise → detection) - How many systems affected? (1, 10, 100+) - What data was accessed/exfiltrated? (categories, record count, sensitivity) - Who/what was responsible? (attacker, malware, insider, misconfiguration)

4.5 Evidence Collection

Preserve for investigation & law enforcement: - Collect logs: Web server, app server, database, OS, firewall, IDS - Snapshot memory: For malware analysis - Network packets: tcpdump/Wireshark captures - File hashes: Create SHA-256 hashes of suspicious files - Timeline: Build chronological sequence of events

Chain of Custody: - Document every person who touched evidence - Use write-blocking devices for disk imaging - Store evidence encrypted and segregated

4.6 Risk Assessment

Determine: - Confidentiality Risk: Was PII accessed? Were credentials stolen? - Integrity Risk: Was data modified? Are backups clean? - Availability Risk: Can systems be recovered? What's the RTO? - Breach Determination: Does this meet GDPR/HIPAA breach definition?

Phase 3: NOTIFICATION (24-72 hours)

4.7 GDPR Breach Notification (GDPR Art. 33-34)

Timeline: - 4 hours: Assessment complete - 24 hours: Notify supervisory authority (if required) - 72 hours: Notify affected individuals (if high-risk)

Conditions for notification: - ✓ NOTIFY GDPA if: Unauthorized access/disclosure of personal data + high risk to rights/freedoms - ✓ DO NOT NOTIFY if: Data encrypted/pseudonymized AND attacker has no keys

Content for DPA notification: 1. Breach description: Date occurred, date discovered, cause 2. Scope: Categories of data (name, email, credit card, etc.), # individuals, # records 3. Likely consequences: What can attacker do with the data? 4. Measures taken: Containment, investigation, remediation 5. Contact point: Forensics team / Privacy Officer for questions

Content for individual notification: 1. Plain language explanation (non-technical) 2. Breach description (what happened, when, what data) 3. Protective measures (recommended actions by individual: password change, credit monitoring) 4. Contact for questions (privacy@bedefended.com)

4.8 HIPAA Breach Notification (45 CFR §164.400)

Timeline: - < 60 days: Notify affected individuals - < 60 days: Notify media (if > 500 individuals in same jurisdiction) - < 60 days: Notify HHS (HIPAA Breach Notification Portal)

Definition of HIPAA Breach: - ✓ BREACH if: Unauthorized acquisition, access, use, disclosure of ePHI - ✓ NO BREACH if: Data encrypted (NIST SP 800-111 standards) or destroyed - ✓ NO BREACH if: Reasonable assurance ePHI was not acquired/viewed

Notification content: 1. Breach description: Date discovered, nature of ePHI, causes 2. Risk assessment: Whether data was actually acquired/viewed 3. Measures taken: Steps to prevent future breaches 4. ePHI recovered: If attackers caught, data recovered, etc.

4.9 Customer Notification

All affected customers notified with: - Executive summary (what happened in plain language) - Timeline (when incident occurred, when discovered) - Scope (did this affect YOUR data? yes/no) - Evidence (findings report, technical details if requested) - Remediation (what are we doing to fix it) - Contact (dedicated incident manager assigned)

Phase 4: CONTAINMENT & REMEDIATION (1-30 days)

4.10 Containment Actions

Stop the bleeding: 1. Isolate compromised systems from network if still active 2. Revoke compromised credentials (passwords, API keys, certificates) 3. Block attacker IPs at firewall/WAF 4. Disable breached accounts temporarily (re-enable after remediation) 5. Patch vulnerabilities exploited (if known)

4.11 Remediation Steps

  1. Eradicate malware (antivirus scans, manual cleanup, rebuild if necessary)
  2. Remove backdoors (check for persistence mechanisms)
  3. Patch systems (OS, applications, dependencies)
  4. Harden configuration (close unnecessary ports, tighten access control)
  5. Rotate credentials (all passwords, API keys, certificates)
  6. Restore from backup (if necessary; verify backup is clean)

4.12 Recovery & Testing

  • Rebuild compromised systems from clean baseline
  • Deploy patches/fixes
  • Restore data from verified-clean backups
  • Conduct security testing to confirm compromise removed
  • Monitor closely for re-compromise (24/7 for 30 days post-incident)

Phase 5: POST-INCIDENT ANALYSIS (7-30 days)

4.13 Root Cause Analysis (RCA)

Document: - Root Cause: What allowed this attack to succeed? (unpatched system, weak password, misconfiguration, social engineering, zero-day, insider) - Contributing Factors: What else made it easier? (no monitoring, no MFA, no segmentation) - Timeline: Reconstruct exact sequence of events - Evidence: Supporting logs, artifacts, screenshots

4.14 Lessons Learned

  • What worked well in our response?
  • What could be improved?
  • What do we need to change?
  • Required: Capture in meeting notes + action items

4.15 Action Items

By severity: - CRITICAL: Must complete within 30 days (security fix) - HIGH: Must complete within 90 days (process improvement) - MEDIUM: Nice-to-have, queue for next sprint

Examples: - Implement MFA for critical systems - Add monitoring for specific attack pattern - Improve patch management process - Additional staff training

4.16 Incident Report

Completed within 30 days, includes: - Executive summary (1-page) - Timeline (detailed) - Root cause analysis - Scope & impact - Remediation actions taken - Lessons learned - Action items + responsible parties - (Sensitive details redacted for customer-facing version)

5. Specific Incident Types

5.1 Data Breach (Unauthorized Access/Disclosure)

Indicators: - Attacker uploaded data exfiltration tool - API keys exposed in logs/config - Database dump found on attacker's server - Large data export in audit logs

Investigation Focus: - What data was accessed? (PII, ePHI, IP addresses, credentials) - Was it actually exfiltrated? (check attacker infrastructure) - How long was access active? (days? weeks?) - Can we recover exfiltrated data? (ask attacker/law enforcement)

Notification: - GDPR Art. 33 to DPA (within 72 hours if high-risk) - HIPAA notification (if ePHI, within 60 days) - Individual notification immediately

5.2 Malware Infection

Indicators: - Antivirus alert - Suspicious process in memory - Unexpected network connections (C2 beaconing) - Persistence mechanism detected (cron job, registry entry)

Investigation Focus: - Malware family identification (hash it, submit to VirusTotal) - Entry point (compromised dependency, phishing, vulnerability) - What did it do? (theft, encryption, lateral movement) - How long was it active?

Containment: 1. Isolate infected system immediately 2. Identify all systems with same malware 3. Block C2 domain at firewall 4. Eradicate from all systems (antivirus + manual cleanup)

5.3 Insider Threat / Unauthorized Access

Indicators: - Staff member accessing data outside their role - Mass data export by unusual user - Off-hours login from unexpected location - Multiple failed attempts then successful login (credential stuffing)

Investigation Focus: - Was it intentional or accidental? (check user's job responsibilities) - What data was accessed? (was it authorized?) - Did user disclose/exfiltrate data? - Is user aware they violated policy?

Response: - Immediate suspension of access (if intentional) - Retraining if accidental - Escalation to legal/HR for disciplinary action - Consider law enforcement notification if data theft suspected

5.4 Ransomware

Indicators: - Files encrypted with unknown extension - Ransom note on screen - Unexpected file modifications (bulk rename)

Response (DO NOT PAY): 1. Immediately isolate infected system 2. Check backups (are they encrypted too?) 3. Preserve evidence (logs, ransom note) 4. Attempt decryption with known tools (https://ransomwhere.nomoreransom.org/) 5. Restore from clean backups 6. Report to law enforcement

6. Communication & Escalation

6.1 Internal Communications

During incident, escalate to: - Board: If customer data breach or major incident - Legal: If potential criminal activity or law enforcement involvement - HR: If insider threat suspected - Customer Success: To coordinate customer notifications - PR: If media attention expected

6.2 External Communications

Law Enforcement

  • When: If attacker identity known or crime suspected
  • Contact: Local police + FBI Cyber Division (if international/serious)
  • Information: Evidence, logs, timeline, attacker IOCs
  • Cooperation: Full cooperation with investigation

Security Researchers / Threat Intel

  • When: If vulnerability or attack pattern should be shared
  • Contact: Security mailing lists, CERT/CC, trusted partners
  • Information: Sanitized technical details (no customer PII)

Regulatory Authorities

  • GDPR Breach: Italian DPA + any member state where individuals reside
  • HIPAA Breach: HHS Office for Civil Rights + state AGs
  • Other: Relevant regulator per jurisdiction

7.1 Law Enforcement

  • ✓ Preserve evidence for potential prosecution
  • ✓ Provide information when subpoenaed
  • ✓ Cooperate with FBI/Europol/Carabinieri investigations
  • ✗ DO NOT contact attacker directly (interferes with investigation)
  • ✗ DO NOT attempt to recover data yourself (evidence tampering)

7.2 Regulatory Cooperation

  • ✓ Respond to GDPR/HIPAA investigation requests
  • ✓ Provide audit logs, security assessments
  • ✗ DO NOT claim privilege (unless attorney involved)

8. Tabletop Exercise & Testing

8.1 Annual Tabletop Exercise

Quarterly incident simulations to test: - Can team be contacted/assembled quickly? - Are communication procedures clear? - Do forensics collect evidence correctly? - Is notification language appropriate? - Are timelines realistic?

8.2 Penetration Testing

  • Annual external pen-test of BeDefended platform
  • Attempts to find vulnerabilities before attackers
  • Tests incident response during simulated breach

9. Documentation & Retention

9.1 Records to Retain

  • Incident reports (final)
  • Timeline reconstruction
  • Root cause analysis
  • Forensic reports
  • Evidence artifacts (hashes, logs)
  • Notification records (to DPA, individuals, customers)
  • Communication logs

Retention: Minimum 3 years (may be longer per GDPR/HIPAA audits)

Appendix A: Emergency Contacts

Role Name Email Phone After-Hours
Incident Commander [CTO NAME] [EMAIL] [PHONE] Voicemail → escalates
Privacy Officer privacy@bedefended.com 24/7 monitoring [PHONE] [ALTERNATE]
Forensics Lead [SEC ENGINEER] [EMAIL] [PHONE] [BACKUP]
CEO (Escalation) [CEO NAME] [EMAIL] [PHONE] [PERSONAL]

Document Version: 1.0 | Last Updated: 2026-03-17 | Next Review: 2027-03-17