NIST incident response plan: 4 steps to better incident handling
The NIST incident response plan involves four phases enterprises can take to improve security incident handling. Expert Mike O. Villegas reviews each step.
NIST published the Computer Security Incident Handling Guide 800-61 Revision 2 in August 2012. It provides guidance for incident management, in the form of a cybersecurity framework for responding to cyberincidents.
The NIST incident response guidelines provide a template for corporate and law enforcement agencies, particularly for analyzing data related to cybersecurity incidents and determining the appropriate response to each incident -- as well as providing a template for incident management. This NIST template for incident management takes a pragmatic approach to defining procedures and setting responsibilities in the wake of a cyberincident.
This cybersecurity framework for incident response is adaptive and flexible, so it can be applied to small and SMBs or large enterprise environments.
The NIST incident handling process defines four phases for cyberincident handling:
- Preparation: Using a cybersecurity framework for incident response requires that all involved be ready to use the template, and that means getting ready in advance of a cyberincident.
- Detection and analysis: The cyberincident response team must detect cyberincidents, as well as collect relevant data, analyze that data and, where required, document and prioritize the incident prior to notifying the proper authorities.
- Containment, eradication and recovery: Once an incident occurs, the cyberincident response team needs to be able to develop and implement strategies to stop the attack, remove the threat and begin to recover.
- Post-incident activity: Once an incident is resolved, the next step for the team is to go back to the beginning and prepare for the next incident; input from each new incident should help inform the preparation process, whether by adding new information about new threats or simply as a means of fine-tuning procedures that are part of the cyberincident management process.
Each of these phases is iterative in nature. When a security incident occurs, rather than reactively jumping into its remediation and expending a considerable amount of time, cost and resources for identification, containment and recovery, the NIST incident response guide suggests that preparing for such incidents is the best defense.
NIST incident response, phase one: Preparation
Not all security incidents are equal, and defenses against potential incidents should be considered based on the impact they could have on an organization, the likelihood of them occurring and the criticality of the assets affected. This is typically determined by a formal risk assessment that can identify potential IT vulnerabilities so an organization can implement proper protection and prevention countermeasures.
Once an enterprise has determined its risk appetite and has identified higher-level risk environments, it should then develop an incident response plan (IRP) and a computer security incident response team (CSIRT) to manage each of the NIST phases. The CSIRT will keep the IRP current and ensure the CSIRT members are knowledgeable in the IRP and the IRP is periodically tested and approved by management. Each of these tasks is critical to ensure the enterprise is prepared when an incident occurs that would otherwise cause great harm to its finances, operations and reputation.
NIST incident response, phase two: Detection and analysis
Detection includes alerts and notifications, but it also includes periodic or continuous monitoring and follow-up. Many organizations say the expense and effort of monitoring, detection and analysis far outweigh the risk, and since they have never had a breach, those defenses need to take a back seat to other, more critical projects. That could very well be true, but experience shows there are instances when an enterprise becomes aware of a data breach or attack only to later find out that it has been occurring for several months or longer. For example, in the cases of Target and Home Depot, it was found that hackers had been stealing critical information months before they were identified.
The importance of incident analysis cannot be overemphasized. It will help identify the source, extent, impact and details of the breach. Without proper analysis, it will be difficult to enter the next phase.
NIST incident response, phase three: Containment, eradication and recovery
Without preparation, this is typically the first phase that is acted upon. Enterprises react to an incident, contain the problem, eliminate it and attempt to restore the system to the state prior to the incident. This can be time-consuming, disruptive and costly. It will take time to identify the incident -- if it's a breach or malware attack, for example. As security engineers work toward identifying the extent of the breach, users may not be able to do business as usual. This can be costly and could result in revenue losses.
Once identified, the breach needs to be contained and eradicated. This remediation effort might require additional downtime. After remediation, all affected systems need to be restored to the state and condition they were in before the breach. Proper planning for disruptive security breaches will greatly reduce the cost, time and effort required for this phase.
NIST incident response, phase four: Post-incident activity
When the incident has been contained and remediated and operations have normalized, the post-mortem should focus on lessons learned. Ask questions such as: How did this incident occur? How can it be prevented from reoccurring? What preventive measures can be strengthened? How can monitoring and alerting processes be improved for more timely notifications? How can the containment, remediation and recovery processes be better streamlined to minimize downtime and disruptive behavior? How can management ensure that the incident and others like it have not negatively impacted the business?
Ernie Hayden talks about the NIST cybersecurity framework.
NIST defense in depth
Preventive controls are most effective if placed at the closest point of entry as possible. However, multiple security countermeasures should be deployed in different stages of access flows. In information security, this is called Defense in depth. Analysis and monitoring of these controls should be continuous. Based on proper preparation and insightful planning, when another incident occurs -- not if another occurs -- the enterprise can bounce back quickly with minimal interruption.
Lastly, it is essential to communicate the IRP, IRP test results and possible breaches to executive management in a clear, nontechnical fashion. This will give management confidence in the information security group to continue to stand fast and stand competent.