Incident Handling & Response
Concepts and terms
Disasters, attacks, and other negative events can significantly impact the operations of any organization. In the security world, these events are known as incidents. and incident response is the process for dealing with them. The standard way of handling incidents today is based on the NIST incident response lifecycle, consisting of four stages:
- Detection and analysis
- Containment, eradication, and recovery
- Post-incident activities
On the current version of the Security+ exam (SY0-501), these four stages are further divided into six stages:
- Lessons learned
Incident management is concerned with the implementation of an organization’s incident response policy, which is typically developed by senior management and addresses such issues as the creation of incident response plans and processes, allocation of resources to handle incidents, and the establishment of an incident response team comprising security professionals.
Federal agency incident guidelines
Beginning in 2017, US-CERT introduced new guidelines for notification and categorization of incidents. The use of a common set of terms allows incident response teams throughout the federal government to clearly communicate with each other about incidents. These guidelines make use of the CISA Cyber Incident Scoring System and cover notifications, severity assessments, impact categories, and attack vector descriptions.
NIST incident handling
The standard reference document for handling incidents is the NIST Computer Security Incident Handling Guide, which defines the four stages of incident response and details processes for implementing them when an incident occurs.
- NIST Computer Security Incident Handling Guide (800-61 R2)
- Introduction to the Incident Response Lifecycle
Incident Response Consortium
The Incident Response Consortium is a community-oriented organization created to help teams develop and implement best practices, playbooks, and response plans. Their website offers many resources to help create and improve incident response teams and build an innovative and supportive community.
Another useful resource is the ThreatConnect TC Open platform, a free way to learn about finding, using, and sharing threat intelligence.
MITRE ATT&CK framework
The ATT&CK framework has been developed as a free knowledge base of techniques that can be used to build effective threat models and response processes. ATT&CK is free to use and users are welcome to contribute their own techniques and use cases.
SANS Internet Storm Center
The Internet Storm Center or ISC is a program of the SANS Institute that monitors emerging threats and threat activity across the Internet. It’s an indispensable resource that analysts can use to keep track of the latest malicious events and activities around the world. The ISC also has an excellent podcast called the ISC StormCast hosted by Johannes Ullrich, the CTO of the ISC.
CISA NCAS alerts
The Cybersecurity and Infrastructure Security Agency or CISA is a federal agency operating under the oversight of the Department of Homeland Security. CISA creates a variety of information products for analysts, especially the group of products that make up the National Cyber Awareness System. This includes alerts, weekly bulletins, current activity, and analysis reports.