What is NIST incident response?

NIST released the second revision of their Computer Security Incident Handling Guide in 2012, which treats the phrase “incident response” as interchangeable with “cybersecurity incident response.” An incident response is a systematic process that an organization can use to predict, plan for, and, per its title, handle a cybersecurity incident. The process is also iterative, in that actually encountering cybersecurity incidents will strengthen the process and help to tighten systems and avoid further incidents in the future.

The NIST guide is comprehensive and includes a checklist to prepare for security events that can be used as you build your own audit checklist. The 2012 update to the Cybersecurity Incident Handling Guide also offered an extended section on how to share information between organizations in the case of a cybersecurity threat.

Why Is NIST Providing Recommendations on Incident Response?

NIST developed its guidelines on incident response in an effort to help federal agencies, businesses, and non-governmental organizations prepare for cybersecurity incidents; the guidelines are designed to help organizations respond to incidents as quickly as possible.

Under the Federal Information Security Modernization Act(FISMA), NIST is obligated to provide recommendations to Federal agencies, as these agencies are required to demonstrate their incident response capability. In certain cases, organizations are required to report incidents; for example, under FISMA, or the Health Insurance Portability and Accountability Act’s (HIPAA) “Breach Notification Rule”. In the 2012 revision, NIST’s guidelines offered a more robust section on how to share information about a cybersecurity incident across organizations to help prevent further damage and fallout from the event.

What Does the NIST Incident Response Cycle Look Like?

NIST’s incident response cycle has four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication, and recovery, and 4) post-incident analysis.

However, NIST is intentional in its use of the term “cycle”; the response cycle is iterative and feedback driven, and they are clear that incident response is a practice that is ongoing, not merely a reaction to an event which ultimately resolves. Preparation includes an active risk assessment plan, and post-incident analysis includes learning and preparation for the next set of potential incidents.

The Four Parts of the NIST Incident Response Cycle

1. Preparation

Preparation for an incident can be daunting when you haven’t already encountered the threat and don’t yet know the full shape of it; one of the key challenges of risk assessment is preparing for the unknown. In preparing for a cybersecurity incident, NIST suggests implementing a series of tools ahead of time, so that you are ready to analyze, isolate, and respond to an incident. These include securing communication tools and facilities for anyone who will be handling incidents if they occur, from having contact information readily available for stakeholders and reporting entities, to purchasing smartphones for your Computer Security Incident Response Team (CSIRT), to having space available for your “war room” where the team can gather and manage the crisis.

The guidelines also suggest ensuring you have up-to-date hardware and software ready for incident analysis; while the document does not cover exactly how to secure systems, it offers broad strokes advice on conducting risk analyses and securing your systems to best prevent an incident from occurring, but the details will be industry-specific.

2. Detection and Analysis

The detection and analysis stage requires first identifying the type of threat you’re facing. NIST provides a list of potential threat types and divides the signs of an incident into two categories: precursors and indicators.

A precursor is a sign that an incident may occur in the future, and an indicator is a sign that an incident may be occurring at present or have already occurred. Unfortunately, most signs of an attack are only visible after an attack has already begun, but an organization with a mature incident response capability may be able to detect precursors and prevent an attack before it begins.

You will likely be dealing with indicators; these will guide you in determining where the attack is coming from, how to contain it, and how long you have to continue to gather evidence. After the incident has been identified and detected, this phase includes everything from analyzing security weaknesses, to prioritizing post-incident actions, measuring the impact, properly documenting the incident, and finally notifying impacted parties. This part of the cycle also includes properly reporting a cybersecurity incident to the appropriate agencies, law enforcement, and other affected parties.

3. Containment, Eradication, and Recovery

Containment, eradication, and recovery make up the bulk of the active incident response. This stage of the incident response includes isolating the threat, to make sure it does not grow; however, NIST documentation is clear that the containment strategy must match the type of attack and the potential damage incurred if the attack continues. Moreover, merely disconnecting the attacking host from the data source may backfire; NIST suggests that the incident response team has a specific containment plan for each type of attack they anticipate based on risk assessments and analyses. This phase includes identifying and researching the attacking host and gathering evidence that can be used in legal matters; NIST suggests that in some cases the response team may choose to use a “sandbox” to contain the threat, to encourage the attack to continue so the team can gather more data, but a delayed full containment may lead to more damages if applied in the wrong context.

Once contained, your cybersecurity team can work on eradicating the threat, including removing malware and deleting compromised accounts. Finally, the team can move to a phased recovery, where the organization can resume with normal operations; recovery may include cybersecurity patches and taking steps to improve firewalls, reinstall anti-malware, restore systems from clean backups, and changing passwords across the organization.

4. Post-Incident Activity

NIST says that this step is the most often omitted and the most important — after the incident, the team should hold a “Lessons Learned” meeting to process the incident, go over strategies for preserving the data collected and evidence gathered over the course of the meeting, and revisit preparation for future projected cybersecurity threats. This phase also includes creating a follow-up report on every part of the incident. This report can be used for internal purposes, and can also be shared with external organizations; managing and preventing cybersecurity threats often goes beyond a single organization and requires cooperation and mutual involvement across the entire incident response cycle.

Do You Need a NIST Incident Response Team?

The NIST recommends having a Computer Security Incident Response Team, either in-house or through a third-party Information Sharing and Analysis Center (ISAC); this team will include IT and cybersecurity experts, but may also engage public relations and legal experts. Depending on the scale and cybersecurity needs of your organization, you may choose to hire professionals to be available immediately and onsite; if your organization has overwhelming security needs, like Facebook or Amazon, then your team will be full-time and available 24-7. But for many organizations, hiring full-time IT staff to respond to incidents is not particularly cost-effective. The UK’s National Cyber Security Centre states that “it is more cost effective to have a ‘virtual’ CSIRT, pulled together when needed, from people who have other day jobs.” The NIST states that organizations which do not have contact with a CSIRT “can report incidents to other organizations, including Information Sharing and Analysis Centers (ISACs)… industry-specific private sector groups [which] share important computer security-related information among their members.”

NIST Incident Response Takeaways

NIST’s strategies for incident response and their vision for the incident response cycle are some of the best available for IT management teams and CIOs seeking to protect their organization from costly, reputation-damaging cybersecurity events and figuring out how to prevent cybersecurity breaches. NIST argues that incidents are just part of the IT landscape, we may not be able to avoid them entirely, but we can certainly minimize their impact on our businesses and lives. If your team wants to be prepared for a potential cybersecurity event, AuditBoard’s compliance management software can help you keep track of NIST’s incident response guidelines and ensure that you’re checking off all of the most important items on their list and that you have a central hub for your CSIRT to access relevant documentation, logs, and incident-related information.