Incident Response plans

As an Incident Response (IR) JumpStart customer, you can build your IR plan within the Cyber JumpStart Portal. If you experience a major cybersecurity incident, IR plans can help you quickly access incident response experts who can assist with identifying and containing cyberattacks, as well as restoring the organization to pre-incident operations.

Examples of major cybersecurity incidents include:

• Ransomware and business email compromise
• Privilege escalation
• Insider threat
• Brute force attack
• Phishing
• Malware
• Denial-of-service
• Man-in-the-middle
• Password attack

Prepare your incident response plan

1. Build an IR plan in the Cyber JumpStart Portal.
2. Review the IR plan.

Step 1: Build an IR plan in the Cyber JumpStart Portal

1. In the Arctic Wolf Unified Portal, click App Launcher > Cyber JumpStart.

2. On the JumpStart IR Planner tile, click Open.

3. On the Response Team tab:

   1. In the Executive Response Leader section, click Add info.
   2. Enter the contact information for the leader.
   3. Click Save.
   4. (Optional) Add additional contacts by clicking Add info next to a labeled section or clicking Add Additional Leader.
   5. (Optional) Enter the stakeholder contact information.
   6. (Optional) Click Save.
   7. Click Continue.

4. On the External Providers tab:

   1. Verify that your IR provider is Arctic Wolf.
   2. (Optional) Add external providers by clicking Add info next to a labeled section or clicking Add Additional IT Provider.
   3. (Optional) Enter the provider information.
   4. (Optional) Click Save.
   5. Click Continue.

5. On the Locations and Networks tab:

   1. In the Primary Business Location section, click Add info.
   2. Enter the address and server information.
   3. Click Save.
   4. (Optional) Add additional locations by clicking Add info next to a labeled section or clicking Add Additional Location.
   5. (Optional) Enter the location or network information.
   6. (Optional) Click Save.
   7. Click Continue.

6. On the Incident Escalation tab:

   1. In the Incident Detection section, click Add info.
   2. Respond to the questions.
   3. Click Save.
   4. Repeat for the subsequent sections, and then click Continue.

7. On the Critical Business Functions tab, do the following for each business function that is high priority in the event of restoration following a security event:

   1. Click Add New Critical Business Function.
   2. Enter details about the business function.
   3. Click Add New System for each supporting system for that function.
   4. Enter details about the system.
   5. Click Save for the system information.
   6. Click Save for the business function.

8. On the Critical Business Functions tab, click Finish.

Step 2: Review the IR plan

The review process differs depending on if you have an assigned Concierge Security® Team (CST).

Request an IR plan review from a CST

• Contact your CST and inform them that your IR plan is complete and ask any remaining questions. Your CST reviews your IR plan to identify gaps.

Schedule an IR plan review session

If you do not have an assigned CST, you receive an email that includes a link to schedule the session with an IR Director.

1. On the scheduling page, select a date and time.

2. Click Confirm.

3. Provide your name, email, organization, and any preliminary questions or topics you want to cover during the session.

4. Click Add Guests to add other attendees.

5. Click Schedule Event.

You receive a confirmation email and calendar invitation for the selected date and time.

At the scheduled time, click the Zoom meeting link in the calendar invitation.