Whether you have already developed an incident response plan (IRP) or you’re just getting started, you can benefit from the best-practices and approaches outlined in the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide. NIST has developed a comprehensive roadmap designed to help organizations build an IRP that will offer consistent, comprehensive cybersecurity protection.
NIST does not recommend that organizations adopt particular hardware or software systems, nor does NIST recommend engaging in a total overhaul of existing systems. Rather, NIST offers a blueprint that is designed to be integrated into an organization’s existing structure and systems. NIST standards emphasize preparation and proactive monitoring as the best defense against threats. While NIST standards are lengthy and complex, there are certain core expectations that every organization needs to understand to be successful at developing a NIST-compliant IRP. Let’s explore the following six essential things that you should adopt to ensure your IRP meets and exceeds NIST standards:
Classify threats by attack vectors
Traditional wisdom dictates that cybersecurity teams should classify threats into discrete types, such as “denial of service” or “malicious code,” in an effort to provide full visibility and to create opportunities for rigorous subsequent analysis. The problem is that so many real-world incidents don’t fall into a single discrete category; rather, they are multi-component threats. NIST recognizes that cyber attacks are carried out across multiple vectors, recommending that cybersecurity teams classify each threat into as many attack vectors as necessary. The standardized NIST attack vectors include external/removable media, attrition (denial of service and brute-force attacks), web, email, impersonation, improper usage, and equipment loss. Using standardized attack vectors is important for creating a classification scheme that is meaningful to outside parties and allows for benchmark comparisons with other organizations.
Document an incident in multiple ways
When you have a cybersecurity incident, it’s important to document the incident from multiple perspectives to minimize damage and to ensure that maximum insights can be gleaned from the incident. First, you should document the protocols and processes that should be executed to remedy the incident; this is a methodology-based exercise. Second, you should document the impacts of the incident on the system, such as how long the system was down, what assets were lost, and what resources are required to contain the incident. Third, you should document the way that the response was coordinated, executed, and managed, ensuring it will be possible to methodically review the response later and determine what was done right vs. what could have been done better.
Assess an incident’s impacts from three perspectives
Cybersecurity incidents are complex, dynamic events that need to be handled consistently by following best practices. To ensure every decision-maker in the organization has access to a comprehensive set of facts about the incident, the focus of your IRP should be on assessing the impacts of the incident, and you should be doing so from three main perspectives. First, you should categorize the incident in terms of its functional impact—that is, how the incident affects the organization’s ability to function normally. NIST recommends that incidents be classified as having low, medium, high, or no impact, where “high” represents an interruption in critical functions. Second, you should categorize the incident in terms of its information impact—that is, the level of sensitivity of the information that was potentially compromised during the incident. NIST recommends that incidents be classified as a privacy breach, intellectual property breach, or loss of data integrity. Third, you should categorize the incident in terms of its recoverability impact—that is, what resources are needed to recover from the incident. NIST recommends that incidents be classified as regular/standard, supplemented (when more resources are required), extended (for extreme resource allocations), or not recoverable (for the most extreme cases).
Share information with trusted partners
As tempting as it can be to aggressively prevent external organizations from ever finding out about cybersecurity incidents, NIST does not recommend that your IRP include a hunker-down approach. Rather, information about cybersecurity incidents should be shared within a closed, trusted community of security professionals, ideally in real time. Collective wisdom and insights are one of the best lines of defense in recognizing potential risks, developing strategies to minimize threats, and stopping breaches with minimal damage.
Institute rigorous access-control measures
Implementing rigorous access-control measures sounds like a no-brainer, until you consider the myriad of ways that you must restrict access. Your IRP should include provisions for monitoring and updating encryption and authentication systems, enforcing complexity standards for passwords (and requiring those passwords be regularly changed), re-sanitizing equipment and systems that are temporarily removed from the cybersecurity perimeter, implementing access restrictions, maintaining access logs, and enforcing strict rules for remote user access and software installations.
Invest in incident response software and case management tools
To truly understand and extract meaningful information from a cybersecurity incident, it’s crucial to invest in the software and tools you need for documentation and deep forensic analysis. You need incident management software that can integrate all of your intelligence-gathering processes and workflows and ensure you are capturing critical information in real time. You also need forensics tools to provide centralized access to and full visibility of the mechanisms and processes that trigger an incident, including analyses of memory usage, network connectivity, running processes, and event logs and registries.
D3 Cyber has developed a leading incident response and IT forensics case management solution. Our fully customizable, fully integrated systems streamline and automate reporting, investigations, and analysis, enabling you to extract maximum intelligence from every incident with consistency and ease. With our cybersecurity solutions at your fingertips, you can count on being able to classify threats by attack vectors, document incidents in all relevant ways, assess an incident’s impacts from three distinct perspectives, share information with trusted partners, and oversee implementation of rigorous access-control measures.
Click the button below to schedule your one-on-one demo of D3’s Incident Management Platform
