Adam on Security

Incident Handling with NIST

Carrying out Incident Response in line with the NIST framework

Adam's photo
Adam
·

3 min read

In today's world, cyber-attacks have become a major threat to individuals and organisations alike. As the number and severity of cyber attacks continue to increase, it's essential to have a framework in place to respond effectively to incidents. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is one such framework that can guide incident response efforts.

In this blog post, I will discuss the following four phases which are part of the NIST Special Publication 800-61 Rev.2: Computer Security Incident Handling Guide:

  1. Preparation Phase - Before an incident occurs, an organisation should have an incident response plan in place. This plan should define the types of incidents that may occur, establish procedures for reporting and responding to incidents, and outline the roles and responsibilities of each team member. According to the NIST Special Publication 800-61: Computer Security Incident Handling Guide, this document should be written down.

    This will ensure that all stakeholders are aware of the processes, procedures, and protocols that need to be followed in the event of a security incident.
    This is an effective way to provide a clear set of instructions to help guide the response process and minimise confusion and errors during a high-stress situation.

    A written IRP should also be regularly reviewed and updated to ensure it remains effective and relevant to the organisation's current security posture and evolving threat landscape.

  2. Detection and Analysis - The first step in responding to a cyber breach is to identify the incident. This can be done by using network monitoring tools, reviewing logs, and conducting an initial assessment of the situation. The aim here is to analyse the collected data and identify patterns, anomalies, and other indicators of compromise. You also want to identify the boundaries of the systems, applications, data, and networks affected by the breach. This step helps to determine the extent of the impact and the necessary resources needed for the investigation.

  3. Containment, Eradication, and Recovery - Once the incident has been identified, the next step is to contain it to prevent further damage. This can be done by isolating affected systems, disabling network connections, and blocking unauthorised access. While it may be tempting to block all traffic on a firewall after experiencing a breach, NIST recommends a more measured approach. This involves limiting the scope of the breach by identifying affected systems and disconnecting them from the network, if possible.

    However, NIST does not recommend blocking all traffic on the firewall as a first response. Instead, NIST advises that incident handlers should "analyse the risk to the organisation before taking action to block or filter traffic." Blocking all traffic on the firewall could potentially disrupt legitimate business operations and prevent the organization from detecting and mitigating further attacks. Therefore, NIST recommends that incident handlers carefully assess the situation and consider the potential impact of blocking or filtering traffic before taking such actions.

    After containing the incident, the next step is to eradicate the root cause of the breach. This may involve cleaning infected systems, removing malicious code, and patching vulnerabilities.

    Once the root cause of the breach has been eliminated, the organization can begin the recovery process. This involves restoring affected systems and data from backups and testing to ensure that everything is working correctly.

  4. Post-Incident Activity - After the incident has been fully resolved, it is important to conduct a thorough post-incident review. This involves documenting the incident, analysing the response to identify areas for improvement, and communicating with stakeholders about the incident and its impact.