Navigating cybersecurity incident response: a comprehensive guide for MSPs

Matt Lee, Senior Director of Security and Compliance at Pax8
Pax8 Incident Response Blog

In a world of constant and fast-paced technological advancement, combating evolving cybersecurity threats remains a top priority for businesses of all sizes. For small to medium-sized businesses (SMBs), the responsibility of safeguarding critical systems and their sensitive internal and customer data often falls to managed service providers (MSPs). As an MSP, you must be prepared to handle any cybersecurity incident that comes your way, both for your own organizations and your clients. This in-depth guide outlines the essential steps that MSPs should take to prepare for a cybersecurity incident and how to successfully navigate through cybersecurity incident response.

What is incident response?

First, we should define what an “incident” is. That’s when a threat actor has made it past at least an organization’s first level of defense and may have gained some access to some data or systems.

Thus, incident response refers to the approach and set of procedures that an organization follows when facing a cybersecurity incident or breach. It involves a series of coordinated actions and strategies aimed at minimizing the damage caused by the incident, restoring normal operations, and preventing future incidents of a similar nature.

There may be smaller events that don’t rise to the level of “incident,” when data hasn’t been compromised. Those may be handled more quickly without a full incident response plan being enacted, although they should still be documented for reference in case a similar threat does become an incident.

What are the four stages of incident response?

Here are the four stages of incident response, according to the National Institute of Standards and Technology (NIST):

  1. Identification: This entails detecting and confirming the occurrence of a security incident.
  2. Containment: Next, you must isolate the affected systems and prevent the incident from spreading further.
  3. Eradication: Once the threat is contained, you’ll need to remove the root cause of the incident.
  4. Recovery: Lastly, you need to restore affected systems, data, and services to their normal operational state.

Before we delve further into these steps, we’ll discuss what you should do to prepare for a cybersecurity incident—because it’s not a question of if, but when a compromise will happen.

How to prepare for a cybersecurity incident

When it comes to cybersecurity, it’s not enough to have a set of security solutions in place. A robust incident response plan forms the bedrock of effective incident management.

Create an incident response plan

Using the four stages above, MSPs should collaboratively create a comprehensive incident response plan with their clients that is tailored to each client’s unique business environment and operations. The plan should be a living document, continually updated to address emerging threats, technological advancements, and evolving regulatory requirements. Having a physical copy of the plan available will ensure it can be accessed no matter what machines or systems might be down.

A successful incident response plan should have the following:

  1. Goals
  2. Members of incident response team, plus roles and responsibilities
  3. Documentation of preparation and process
  4. Criteria for declaring a critical incident
  5. Processes for identification, containment, eradication, and recovery
  6. Post-incident evaluation and review

Help your clients develop a communications plan

In addition, you should encourage your clients to develop a communications plan ahead of time, in case of a major incident. You can work with your clients to iron out the technical language of this plan to minimize reputational damage. This plan should include guidelines and training for customer support, including tone, language, and FAQs.

Identify critical assets

Part of the incident response plan should be identifying the client’s most valuable assets and critical data. This step enables MSPs to allocate resources judiciously during an incident, ensuring that essential functions remain operational and that your client’s most valued end customer data is covered.

Ideally, this step should be done well in advance of your incident response planning. This is a great operational practice that allows for proper protection and response capabilities in time of need, if it’s completed beforehand.

Include contact information and establish clear communication channels

You’ll also need to set up effective communication channels to execute an incident response plan successfully. MSPs must establish dedicated and reliable communication channels with clients, stakeholders, and third parties, including vendors, lawyers, insurance, and press. Clearly defining contact information and roles and responsibilities for each party involved will ensure information flows seamlessly during an incident.

Your backup communication channels likely will need to exist outside of your normal systems. For example, it’s wise to have a method for encrypted communications that are not part of the same systems the threat actor may target, as we’ve learned from past incidents that threat actors may otherwise be reading every word of your communications during an incident.

Maintain ongoing training

A well-prepared team is an MSP’s strongest asset when facing cyberthreats. Regular training and education for the entire team are essential to stay ahead of evolving threat landscapes.

One of the best things MSPs can do is actually “tabletop” a security incident. This is akin to playing a game of “Dungeons & Dragons,” with engineers and other stakeholders instead of players rolling dice.

To conduct a successful tabletop exercise, first you’ll have to identify and involve the key players. Then you can develop the scenario, which can involve anything as simple as a phishing scam all the way up to sophisticated cyber criminals targeting vital company data. A facilitator will walk participants through the steps in the process, with each player detailing what actions they would take. The steps would include assessing the situation, identifying security and organizational implications, developing a course of action, reviewing resources, developing recommendations, and then detailing what actions should be taken.

The point of the exercise is to identify holes in knowledge or process that should be rectified before a real incident occurs. Though it can be a relatively fun experience, it can also be quite stressful and helpful to do several times before a real incident occurs.

Ensure basic cybersecurity health is maintained

Finally, adequate preparation for an incident comes down to your basic security health. Have you and your clients implemented the CIS Critical Security Controls? If you’ve implemented this framework for best cybersecurity practices, both avoiding an incident and adequately responding to an incident will be much easier.

It’s always helpful to educate your clients to get involved and be part of their own security journey. Maintaining cybersecurity is a two-way street, and your clients will need to do their part as well.

To fortify your clients’ digital defenses, you’ll also need to offer and encourage them to use cybersecurity solutions covering categories such as DNS filtering, malware protection, antivirus software, firewalls, and email security. And continuity solutions should also not be ignored, offering functions such as backup and disaster recovery and archiving. Having both cybersecurity and continuity solutions together ensures your clients are protected but can bounce back when an incident does occur.

Executing incident response

Once you’re adequately prepared, it’s time to take a look at what exactly to do when the real thing happens.


The first step of incident response is detecting and identifying the threat, which could be a data breach, unauthorized access, malware infection, or any other type of cyberthreat. Identification should answer the five W’s of a security incident, such as:

  • Who discovered the incident and how?
  • What is the scope of the incident?
  • When did the event happen?
  • Where did the incident occur, and have any other areas of operation been impacted?
  • Why did the incident occur?

When it comes to detection, this is where all that prep work comes in handy. If you have properly identified key assets in your plan, your strengths and weaknesses via training exercises, and who needs to be involved in incident response, this will make early detection much easier because you’ll know who, what, and where to check for issues.

The earlier identification can be accomplished, the better, to minimize potential damage. If the threat is already at the stage of ransomware, you’ll know that there’s an issue with your threat detection efforts.

If you’ve identified a ransomware attack, do not simply restore from backup or even suggest paying the ransom. You’ll need a team to help in those scenarios, either from an insurance company or a private incident response organization. Rules exist, such as sanctions by the OFAC (Office of Foreign Assets Control), that can get you or your clients into criminal trouble for paying a sanctioned entity.


In the event of an incident, MSPs must act swiftly to isolate affected systems. This helps prevent the spread of criminal access while minimizing further damage. Any malware that is discovered should be quarantined.

You shouldn’t close the computer down, delete all the impacted information, or destroy affected machines. This isn’t recommended because you may lose key evidence in determining how, when, and why the incident occurred. It’s often not enough to isolate a compromised asset. In fact, this may not be effective because the threat actor may still have access to other data and systems.

You should, however, disconnect any affected devices from the internet. You can also update and patch your systems, review remote access and ensure multifactor authentication is being used, change user and administrative access credentials, and strengthen passwords.


Once the threat is contained, it’s time to eliminate it. Documenting everything from the first two steps of the process will give you the forensics you need to eradicate the threat.

You must be detailed about removing any malware or artifacts from the attack so that no trace remains on your clients’ systems. Without being thorough about this process, you may leave your clients’ systems open to future attacks.


If your client has a backup and disaster recovery solution in place, you’ll be able to remove the threat without losing any data. You’ll need a trusted backup to restore any data and systems in place, and you’ll still need to monitor for a time to ensure further attacks do not occur.

Oftentimes, you won’t know when the threat actor compromised the system. Dwell time, or the amount of time a threat actor has access to a compromised system before the MSP detects a threat, is between 16 and 60 days. This means you’ll need to use these backup and disaster recovery solutions to maintain longer backups because restoring a backup that is too recent could just give the threat actor renewed entry into the system. For best practice, maintain backups that go past 60 days, and regularly test them, as well.

After the incident

Though you may have successfully thwarted an attempted breach or helped your client through a difficult attack, your work isn’t over.

Learn from the incident

You’ll need to conduct an investigation both during and after an incident occurs. Proper documentation is necessary at every step of the incident. Gather your incident response team members and discuss anything you’ve learned from the incident, whether it’s identifying previously unknown weaknesses or discovering the need to fortify existing defenses. Determine what worked well in your response plan and where there were issues.

Regularly test and enhance your plan

Incidents should feed right back into your training mechanisms. Use real-life occurrences to inform routine testing and make continuous improvements to your plan. Even if you’ve gone through the real thing, you should still conduct regular mock incidents to evaluate your evolving incident response plan.

Seek help from a trusted partner

At Pax8, we recognize the intricate challenges MSPs face in combating cybersecurity incidents. To start prepping, explore the Pax8 Marketplace, where you can access a curated selection of cutting-edge cybersecurity solutions designed to enhance your clients’ security posture. And you can browse all our cybersecurity training courses on Pax8 Academy to equip your team with the knowledge and skills they need to face any cybersecurity threat.

It’s a lot to pull together, but we’re here to help. Speak with one of our experts to get started, and you’ll be on your way to skillfully navigating cybersecurity incidents in no time.

See our cybersecurity resources