Date: 26 April 2022
NIST Cybersecurity Incident Response Plan Steps
Different Cyber Incident Response Plan Templates usually define the phases or steps of good incident response in varying ways.
We have detailed blogs on the 6 Phases of Incident Response and on 7 Phases of Incident Response which you can read for more information. However, in this blog, we’re going to stay focussed on the 4 Phases of the Incident Response Lifecycle as defined by NIST.
As per NIST, the major phases of the Cybersecurity Incident Response Process include:
- Preparation
- Detection & Analysis
- Containment, Eradication & Recovery
- Post-Incident Activity
We can now explore in detail what each of these phases or steps in the Incident Response Lifecycle entail.
- Preparation: As the name suggests, this phase is all about getting the organisation ready for a cyber-attack. It involves establishing and training a security incident response team as well as implementing tools and resources that could actually limit security incidents in the first place. Prevention of incidents does end up falling into the category of Preparation, although strictly speaking the incident response team is not responsible for securing resources.
NIST, however, recommends that they act as advocates of good cybersecurity practices and behaviour in the Preparation stage. Clearly, limiting the number of incidents is critical to the success of any Cybersecurity Incident Response endeavour.
The NIST Computer Security Incident Handling Guide also details some practices that can help analyse risk and secure networks, applications and systems in the Preparation phase of the Lifecycle.
- Detection & Analysis: While it’s impossible for organisations to be prepared for every possible future attack, it is wise to have a plan in place to respond to the most common attack vectors.
The other thing that makes the stage of Detection very important is that many times businesses aren’t able to tell if they’ve actually been attacked in reality or not. Timely detection is of essence so the security incident response team should be able to quickly validate an incident and then analyse its scope - what was the attack methodology and what assets have been impacted.
Communicating the fact that the organisation has been attacked accurately and to the right stakeholders is also a crucial part of this phase of the Incident Response Lifecycle.
- Containment, Eradication & Recovery: It is imperative to contain an incident before it causes widespread damage and exhausts resources. NIST highlights that good decision-making is a big part of Containment. Obviously, containment becomes easier and more effective if predetermined strategies are in place to handle and contain the incident correctly - further underlining the importance of good cybersecurity practices and incident response training in the UK and globally.
After containing the incident, eradication may be necessary to remediate all affected hosts. Eradication usually involves steps like eliminating the malware or deleting breached accounts.
Recovery is the next logical step after eradication. It involves restoring affected systems, changing passwords, tightening the network, replacing compromised systems and files.
- Post-Incident Activity: This phase lays emphasis on lessons learned from the cyber incident. The NIST document recommends holding a ‘lessons learned’ meeting with key stakeholders after a major incident so that the organisation can collectively evolve into being better at handling similar incidents in the future.
Proper post-incident activity can shed light on key questions around an incident pertaining to what exactly happened and how well the staff handle the incident. These meetings can also be the perfect vehicle for deliberating on the organisational incident response strategy and its effectiveness.
Ideally, ‘lessons learned’ meetings should be followed up with formal reports that detail everything discussed in the meeting. These reports can be useful in identifying gaps in existing policies and procedures as well as training new staff members who may subsequently become part of the IT security team.
The above are some critical incident response steps as highlighted by NIST. Including these major steps in your Cyber Security Incident Response Plan is one of the most important leaps you can take today towards becoming a cyber resilient organisation.
You may also want to find out more about our NCSC-Certified Cyber Incident Planning & Response training. As the human element is often the weakest link in a digital environment, training your non-technical staff in Incident Response can be the ultimate differentiator of a cyber-resilient organisation. The training can also help you to implement NIST's Incident Response Lifecycle & Meet ISO 27001:2013's Annexe A.16.1.