What is an incident response workflow according to NIST Special Publication 800-61

The National Institute of Standards and Technology (NIST) publishes some of the most essential and widely applicable cybersecurity guidelines and regulations. For example, the Cybersecurity Framework (CSF) is the basis for nearly every regulatory text currently in circulation. Another critical guide published by the NIST is their incident response framework, an overarching guide that all companies should implement, at least in part. Read on to learn how.

Implementing the NIST Incident Response Framework

Regardless of how seamless a company’s cyberdefenses are, it’s impossible to prevent all attacks, breaches, or other cybersecurity events. Therefore, it’s critical to have sound plans to limit the scope and impact of attacks when they happen. The NIST incident response framework provides companies with those plans. In this blog, we’ll break down all you need to know about NIST incident management:

• Overview of the 2012 NIST text, including context for implementation in 2021
• Description of its recommended strategies and four-stage procedure
• A comparative look at alternative incident management frameworks and approaches

By the end of this blog, you’ll have everything you need to successfully manage incidents, from prevention to addressing them when they do occur. First, what are these incidents, exactly?

What Constitutes a Cybersecurity Incident?

In the world of cybersecurity, myriad terms refer to confusingly similar occurrences. Outside IT circles, people may refer to things like hacks, breaches, or attacks interchangeably, regardless of the specific threat vector exploited or the origin of the event. But a term such as “incident” has a critical technical meaning that takes precedence over any public misunderstandings.

An incident in cybersecurity is a general category that includes all events potentially leading to a data breach, including those that are successful and those that are not. This includes intentional attacks leveraged by a cybercriminal and accidental breaches (or near breaches) from misuses or misunderstandings. For example, imagine your company fields ten cybersecurity events over a year. Eight of these are attacks, and the other two are user errors. If two led to compromised resources, then you sustained two breaches out of a total of ten incidents.

Overview: NIST Incident Management Framework

The incident management framework is detailed in NIST Special Publication 800-61, Computer Security Incident Handling Guide. The current version of this document (rev. 2) was published in 2012, updating SP 800-61 Rev. 1 from 2008, an update to the original SP 800-61 in 2004.

All of these documents follow the same basic structure. Their contents include the following:

• An introductory establishment of the NIST’s authority and basic operational definitions
• A section on requirements needed for potent security incident response capabilities
• A detailed breakdown of the four-stage process of incident management (see below)
• A closing gloss on the importance of, and resources for, sharing threat intelligence

Digging back further, SP 800-61 is a revision of an even older document, SP 800-3, titled Establishing a Computer Security Incident Response Capability (CSIRC), published in 1991. This oldest document precedes the influx of computers into nearly every facet of contemporary life and is concerned with establishing baseline capacities for overall cybersecurity.

Also Read: The Benefits of Hiring a Managed Security Services Provider

NIST Incident Management Implementation in 2021

What stands out across the history detailed above is that, barring the changes from 1991 to 2004, the general structure of the incident response NIST requires has remained constant for nearly two decades. It is evidence of an effective approach, to be sure, but also one that is in dire need of several updates or augmented practices to remain impactful in 2021 and beyond.

The variety, severity, and volume of cybersecurity threats have grown exponentially over the past nine years. Per one list of significant cybercrimes from the Center for Strategic & International Studies (CSIS), there were 27 cyber-attacks with at least $1 million dollars in reported losses in all of 2012. In contrast, 134 such attacks occurred in 2020 and 47 in late April in 2021. To compete, companies may need even more rigorous methods than NIST prescribes.

NIST Incident Response Framework Step by Step

Irrespective of the updates needed to optimize your own company’s incident management approach fully, the NIST incident response framework is an impactful starting point for all companies.

It all begins with establishing incident response capacity, including policies, plans, and procedures. You’ll also need an incident response team comprising IT personnel from the company and third-parties such as law enforcement and media contacts to facilitate reporting.

Once all these elements are in place, your company is ready to begin the four-stage process:

1. Preparing for a variety of incidents while taking measures to prevent their occurrence
2. Detecting incidents as they occur and analyzing them to select appropriate procedures
3. Deploying selected procedures eradicate and fully recover from incidents
4. Monitoring for necessary post-incident actions and addressing them over the long term

Let’s take a closer look at each stage in the process, including ways to optimize its practices.

Stage #1: Incident Preparation and Prevention

The first stage within the NIST framework comprises two critical functions: preparation and prevention. For the first, it prescribes the following tools, beyond the capacities detailed above:

• Incident handler communications facilities – Including fundamentals such as contact information and assurance of communication devices and platforms for all stakeholders
• Incident analysis hardware and software – Including physical and virtual means for describing, sharing, analyzing, and referencing incidents against prior threat intelligence
• Incident analysis resources – Including access to aforementioned threat intelligence, both internally compiled and from national, local, or other registries of threat vectors
• Incident mitigation software – Including access to clean backups of all software

For the second function, it specifies that institutions should optimize their capacities for access management and risk assessment, minimizing the potential for compromise while monitoring for any instances of attack. Other recommendations include standard antivirus software and IT training.

Stage #2: Detection and Deep Analysis of Incident

The next stage is arguably the most pivotal, as it determines the actions to be taken throughout the lifecycle of an incident once it occurs. While NIST SP 800-61 breaks the stage into seven sub-sections, its contents can be understood more easily as a four-part procedure:

• Detection – The incident handlers will need to detect an incident as soon as possible and determine its origins and vectors based upon precursors or indicators of attack.
• Analysis – Then, handlers will begin a process of analysis, comparing conditions under the incident to a security baseline and seeking out correlations with previous incidents.
• Priority – This analysis enables a process of prioritization of elements to address first.
• Notice – Finally, once companies generate a profile, they will report to local media and law enforcement as needed to facilitate mitigation and prevent attacks on others.

Stage two does not end as a company begins the next. Instead, ongoing in-depth analysis and reporting continue throughout the process, informing any adjustments necessary.

Stage #3: Containment, Eradication, and Recovery

The next stage is primarily about executing the plan laid out in the previous one. However, the first step within stage three entails further planning. Companies must determine the most appropriate containment strategies to immediately stop the spread of the incident and reduce overall damage done, facilitating the goals of eradication and recovery. A crucial part of this step is information gathering, which may also facilitate legal proceedings.

Before or during the actual measures taken to eradicate the incident, NIST advises an optional step of identifying and (to the extent possible) neutralizing the attacking hosts or parties.

Finally, NIST collapses eradication and recovery into one all-encompassing procedure. It includes all measures taken to remove all active and inactive elements of the attack from company systems, then ensuring no further harm will come from it and restoring resources compromised due to the attack. Like stage two, this is an indefinite, ongoing process.

Stage #4: Post-Incident Activities and Awareness

Finally, the last stage of the NIST process involves wrapping up the incident response protocol and feeding back into future preparation and prevention efforts. To that effect, it breaks down into three distinct steps, each of which builds on the last and improves all future stages:

• Compile lessons learned – First, companies must take stock of the lessons learned from an incident and its mitigation. This includes documentation of all relevant details, along with analysis of the efficacy of procedures and projection of alternative routes.
• Use collected data – The data compiled in the previous step needs to be mobilized, including determining future risk monitoring capabilities and resource allocation.
• Retain evidence – Finally, companies need to dedicate plans and resources to the retention of data, including for purposes of law enforcement and sharing with peers.

While this stage is final, it also begins alongside the prior two stages, as data collection is critical throughout an incident’s lifespan. It’s also indefinite in scope as ongoing incident management.

Alternative Methods for Incident Management

As noted above, one of the most effective ways to consider and implement the NIST incident response framework is as a foundation for a broader cyberdefense architecture. In particular, rising cybercrime threats make a more proactive, risk-focused approach especially apt for companies likely to field many attacks. Unfortunately, for them, a response may be too late.

One effective way to manage incidents via risk is through a robust, comprehensive vulnerability management program. A suite of services operated internally or with the help of a service provider labels all vulnerabilities that could turn into risks if exploited by threat actors. In addition, passive scanning lowers the volume and severity of incidents facilitating swift mitigation and recovery.

Another approach is a more targeted managed detection and response program, which integrates response into the threat phase long before risks turn into actualized attacks.

SANS Institute’s Incident Response Framework

The NIST SP 800-61 is also not the only widely used framework for incident management. The other major player in this space is the SANS Institute, which has published numerous guides and whitepapers on incident response over the past 30 years. Two examples are the Incident Handling Process for Small and Medium Businesses and the Incident Handler’s Handbook.

Across these and other SANS texts, authors lay out six steps for effective incident response:

1. Preparation and prevention of incidents, mirroring stage one from NIST SP 800-61
2. Identification of incidents, including analysis and prioritization of response tactics
3. Containment of incidents, limiting reach and damage done to resources contacted
4. Eradication of incidents, including trace elements thereof unnecessary for analysis
5. Recovery from incidents, including restoring of services and business continuity
6. Lessons learned, including planning and prevention of future similar incidents

These steps correspond loosely to the stages of NIST, with steps three, four, and five breaking down individual processes of what NIST compresses into just its third step. Likewise, institutions may build on these methods and distribute roles or responsibilities in their own particular ways.

RSI Security’s Incident Management Framework

Another framework for incident management is the one we’ve developed at RSI Security. Our own incident management services comprise the following six phases, adapted primarily from NIST:

• Incident identification – Working in conjunction with your internal IT teams, we’ll monitor for and detect incidents as soon as they occur, or before, in the risk stage.
• Logging of incidents – We’ll then log any incidents discovered, cross-reference existing threat intelligence, and set up the necessary chain of command for analysis.
• Investigation/diagnosis – Next, our experts will work with you to investigate any possible causes or roots of the incident, address them if possible, and diagnose the attack.
• Assignment/escalation – The next step involves an initial assignment of resources, roles, and responsibilities, along with periodic adjustments and escalations, if needed.
• Resolution and closure – As the attack plan moves forward, our team will prepare for initial resolution procedures, including the proclamation of expulsion and ongoing recovery.
• Customer satisfaction – Finally, we assure our clients and their customers of long-term safety by meeting or exceeding levels of functionality from before the incident occurred.

These steps are highly flexible and adaptable to any company’s specific needs and means, regardless of size and industry. They encompass the NIST incident response framework and even surpass it in scope. To optimize your incident management, contact RSI Security today!

What is an incident response workflow?

What is an incident response plan NIST?

What are the 5 steps of the NIST framework for incident response?

What is the most recent NIST standard for incident response?