ThreatFortress is a fully managed endpoint solution with proactive SOC CyOps team.
Incident response is a structured process used by organizations to detect and respond to cybersecurity incidents. The National Institute of Standards and Technology is an agency operated by the USA Department of Commerce, that sets standards and recommendations for many technology areas.
In this article, we’ll delve into the NIST recommendations for organizing a computer security incident response team and see the three models for incident response teams offered by NIST. We’ll also look at the NIST incident response cycle and see how an incident response is a cyclical activity, where there are ongoing learning and advancements to discover how to best protect the organization.
Read on to see the four steps of NIST incident response, such as preparation, detection and analysis, and containment, eradication, and recovery.
Incident response is a structured process organizations use to identify and deal with cybersecurity incidents. Response includes several stages, including preparation for incidents, detection and analysis of a security incident, containment, eradication, and full recovery, and post-incident analysis and learning.
The National Institute of Standards and Technology is an agency operated by the USA Department of Commerce, that provides standards and recommendations for many technology sectors.
Within NIST, the Information Technology Laboratory (ITL) is responsible for developing standards and measurement methods for IT, including information security. ITL developed an influential model for incident response, the Computer Security Incident Handling Guide (Special Publication 800-61). In this article we’ll cover the basics of the NIST incident response recommendations and how you can leverage them for your organization.
The NIST Computer Security Incident Handling Guide provides in-depth guidelines on how to build an incident response capability within an organization. It covers several models for incident response teams, how to select the best model, and best practices for operating the team.
NIST offers three models for incident response teams:
Within each of these models, staff can be employees, partially outsourced, or fully outsourced. Employees can also be full- or part-time.
NIST provides several considerations for selecting an incident response model:
The NIST Incident Response Guide provides several guidelines for organizing and operating an incident response unit.
Even if your organization is small, take incident response seriously and establish a formal incident response body. Even if it is a virtual incident response team with part-time staff, defining this team and giving it authority and responsibility will dramatically improve your capability to respond when a cyberattack strikes.
This is a precursor to the incident response plan, which lays out the organizational framework for incident response. It specifies what is considered a security incident, who is responsible for incident response, roles and responsibilities, documentation and reporting requirements.
According to NIST methodology, an incident response plan is not merely a list of steps to perform when an incident happens. It is a roadmap for the organization’s incident response program, including short- and long-term goals, metrics for measuring success, training and job requirements for incident response roles.
These are the detailed steps incident response teams will use to respond to an incident. They should be based on the incident response policy and plan and should address all four phases of the incident response lifecycle: preparation, detection & analysis, containment, eradication and recovery, and post-incident activity.
NIST defines a four-step process for incident response, illustrated in the diagram below. The NIST process emphasizes that incident response is not a linear activity, starting when an incident is detected and ending with eradication and recovery. Rather, incident response is a cyclical activity, where there is continuing learning and improvement to discover how to better defend the organization.
After every incident there is a substantial effort to document and investigate what happened during the incident, to feed back to earlier stages and to enable better preparation, detection and analysis for future incidents.
There is also a feedback loop from the containment and eradication step to detection and analysis—many parts of an attack are not fully understood at the detection stage and are only revealed when incident responders “enter the scene”. These lessons can help the team detect and analyze attacks more fully the next time around.
To prepare for incidents, compile a list of IT assets such as networks, servers and endpoints, identifying their importance and which ones are critical or hold sensitive data. Set up monitoring so you have a baseline of normal activity. Determine which types of security events should be investigated, and create detailed response steps for common types of incidents.
ThreatFortress Cynet 360 provides all the core capabilities that are required for sound incident preparation, including a centralized visibility interface showing all endpoint configurations, process execution, installed software, network traffic and user activity.
Detection involves collecting data from IT systems, security tools, publicly available information and people inside and outside the organization, and identifying precursors (signs that an incident may happen in the future) and indicators (data showing that an attack has happened or is happening now).
Analysis involves identifying a baseline or normal activity for the affected systems, correlating related events and seeing if and how they deviate from normal behavior.
An integrated security platform like Cynet 360 can do this for you, automatically identifying behavioral baselines, detecting anomalies that represent suspicious behavior, and collecting all relevant data across networks, endpoints and users to help you investigate it.
The goal of containment is to stop the attack before it overwhelms resources or causes damage. Your containment strategy will depend on the level of damage the incident can cause, the need to keep critical services available to employees and customers, and the duration of the solution—a temporary solution for a few hours, days or weeks, or a permanent solution.
As part of containment, it is important to identify the attacking host and validate its IP address. This allows you to block communication from the attacker and also identify the threat actor, to understand their mode of operation, search for and block other communication channels they may be using.
Cynet 360 can help you take remote manual action to contain security incidents, including stopping malicious processes, deleting files, resetting passwords and restarting affected devices. It can also perform automatic containment actions such as stopping rapid encryption of files or automatically isolating endpoints infected by malware from the network.
Cynet response orchestration capabilities provide the means to terminate attackers’ presence and activity from all parts of the environment: infected hosts, malicious files, compromised user accounts and attacker-controlled traffic. Learn more about Cynet 360’s incident containment capabilities.
In the eradication and recovery stage, after the incident has been successfully contained, you should act to remove all elements of the incident from the environment. This might include identifying all affected hosts, removing malware, and closing or resetting passwords for breached user accounts.
Finally, once the threat is eradicated, restore systems and recover normal operations as quickly as possible, taking steps to ensure the same assets are not attacked again.
A central part of the NIST incident response methodology is learning from previous incidents to improve the process.
You should ask, investigate and document the answers to the following questions:
Use your findings to improve the process, adjust your incident response policy, plan, and procedures, and feed the new data into the preparation stage of your incident response process.
ChatFortress has an outsourced incident response team that anyone can use, including small, medium and large organizations. The incident response team provides professional security staff who are equipped to carry out fast, effective incident response activities.
Cynet can deploy the Cynet security platform in just minutes across hundreds to thousands of endpoints. They can scan, identify, analyze and attend to threats before any harm is done. The Cynet incident response team can assist with:
Dr. Drew Bjerken
CISO, CPO Catalina
“ThreatFortress' CyOps security team is a major plus. They’re online 24/7 assisting with threat hunting, alerting, and helping with incident response - without any additional cost.”
Former CISO, ICL Group
“One of the biggest values of ThreatFortress is their CyOps team of security experts they are available around the clock, whenever we need them. They enhance and complement our existing security capabilities and as a CISO, this gives me peace of mind.”
Schedule a time to speak to your cybersecurity consultant for free to help you understand your options. Or Email Help@ChatFortress.com and our team will respond to your questions.