Incident Handling & Response

Concepts and terms

Disasters, attacks, and other negative events can significantly impact the operations of any organization. In the security world, these events are known as incidents. and incident response is the process for dealing with them. The standard way of handling incidents today is based on the NIST incident response lifecycle, consisting of four stages:

1. Preparation
2. Detection and analysis
3. Containment, eradication, and recovery
4. Post-incident activities

On the current version of the Security+ exam (SY0-501),  these four stages are further divided into six stages:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned

Incident management is concerned with the implementation of an organization’s incident response policy, which is typically developed by senior management and addresses such issues as the creation of incident response plans and processes, allocation of resources to handle incidents, and the establishment of an incident response team comprising security professionals.

Federal agency incident guidelines

Beginning in 2017, US-CERT introduced new guidelines for notification and categorization of incidents. The use of a common set of terms allows incident response teams throughout the federal government to clearly communicate with each other about incidents. These guidelines make use of the CISA Cyber Incident Scoring System and cover notifications, severity assessments, impact categories, and attack vector descriptions.

• US-CERT Federal Incident Notification Guidelines
• CISA Cyber Incident Scoring System

NIST incident handling

The standard reference document for handling incidents is the NIST Computer Security Incident Handling Guide, which defines the four stages of incident response and details processes for implementing them when an incident occurs.

• NIST Computer Security Incident Handling Guide (800-61 R2)
• Introduction to the Incident Response Lifecycle

Incident Response Consortium

The Incident Response Consortium is a community-oriented organization created to help teams develop and implement best practices, playbooks, and response plans. Their website offers many resources to help create and improve incident response teams and build an innovative and supportive community.

• Incident Response Consortium

ThreatConnect

Another useful resource is the ThreatConnect TC Open platform, a free way to learn about finding, using, and sharing threat intelligence. 

• ThreatConnect TC Open
• 10 Things Security Analysts Can Do for Free in TC Open

MITRE ATT&CK framework

The ATT&CK framework has been developed as a free knowledge base of techniques that can be used to build effective threat models and response processes. ATT&CK is free to use and users are welcome to contribute their own techniques and use cases.

• MITRE ATT&CK
• Mastering the ATT&CK Matrix

SANS Internet Storm Center

The Internet Storm Center or ISC is a program of the SANS Institute that monitors emerging threats and threat activity across the Internet. It’s an indispensable resource that analysts can use to keep track of the latest malicious events and activities around the world. The ISC also has an excellent podcast called the ISC StormCast hosted by Johannes Ullrich, the CTO of the ISC.

• Internet Storm Center
• ISC StormCast

CISA NCAS alerts

The Cybersecurity and Infrastructure Security Agency or CISA is a federal agency operating under the oversight of the Department of Homeland Security. CISA creates a variety of information products for analysts, especially the group of products that make up the National Cyber Awareness System. This includes alerts, weekly bulletins, current activity, and analysis reports.

• CISA National Cyber Awareness System