NIST Incident Response Steps & Template | Blameless

The National Institute of Standards and Technology (NIST) provides the framework to help businesses mitigate cybersecurity risks. The framework also protects networks and data, outlining best practices to inform decisions that save time and money. Creating a cybersecurity strategy that identifies, protects, detects, responds, and helps you recover from cybersecurity incidents is critical in the evolving threat landscape. 

Your Incident Response Plan ensures all those impacted are notified of risks, your business remains operational, and an investigation is launched to contain the attack. 

‍

NIST's Role in Incident Response

NIST provides recommendations for incident response to empower organizations to become more resilient when cyber threats or incidents occur. Their recommendations provide industry best practices based on actionable lessons learned from past incidents. Using their standardized framework, your team has access to existing NIST incident response templates ready to adapt to your needs based on a sequence of events that improve your responsiveness.

‍

NIST Incident Response Life Cycle

‍

There are four NIST incident response phases:

‍1. Preparation:

• Create and maintain a list of IT assets, prioritizing their importance based on how sensitive or critical the data and their role is
• Monitor your assets to create a baseline of normal activity for comparison
• Decide the types of security events you need to investigate
• Create detailed response steps for likely incidents

‍

2. Detection and Analysis:

• Collect data from your internal and external IT resources, systems, and security tools, in hand with publicly available information
• Identify warning signs an incident might happen and data that confirms it is either in progress or has occurred
• Analyze how related events deviate from what you established as “normal” behavior using your baselines

‍

3. Containment, Eradication, and Recovery:

‍

• Stop the attack as soon as possible to avoid containment issues and damage
• Consider the level of damage each incident can cause to create a strategy that allows you to keep critical services available
• Consider how long solutions might take such as deploying a temporary solution taking hours, or a permanent solution taking days or weeks
• Identify the attacking host and IP address to block communication
• Identify the threat actor to determine their modus operandi
• Find other channels they can access or use and block them
• Once contained, remove all elements of the incident including hosts, malware, etc.
• Close and reset passwords for all breached user accounts
• Restore systems and recover normal operations

‍

4. Post-Incident Activity:

You can improve your response policy, plan, and procedures based on the following insights:  

• How and when the event occurred
• Your incident response team’s ability to deal with the incident
• Whether everyone understands what process to follow, and their responsibilities related to the process
• How sufficient the processes were
• The information your team lacked in the earlier stages
• Whether inaction or inappropriate actions contributed to further damage or held up recovery
• The steps staff could do differently to improve the process in a similar situation
• Whether changes weren’t made following similar incidents to overcome the same issues you encountered in the most recent event and why
• Identifying new warning signs or indicators
• Listing tools or resources that could have improved your response

‍

Setting Up an Effective Incident Response Team

NIST recommends considering the following when setting up an effective incident response team:

• Choose real-time availability and on-site presence over schedules and remote work to ensure response is immediate to mitigate damage.
• Train additional team members for added support for your core team.
• Ensure you have cross-functional team members, leveraging outsourced experts to fill skills gaps. Your team can then share insights based on your IT environment, baselines to identify malicious behavior and the most critical assets to prioritize expert action.
• Cover typical roles and responsibilities, including:
  o   Team leader to bring together and coordinate incident response and keep the team focused on solving the problem.
  o   Investigative leads to collect and analyze evidence to direct the response accordingly.
  o   Communications specialist to keep internal stakeholders and teams up to date on response progress.
  o   Analysts to document and analyze team activities, monitor the networks, create timelines, and do an initial analysis of the evidence and threats.

‍

Building Your Incident Response Plan

There are four NIST incident response steps involved in building your incident response plan:

1. Risk Assessment and Identification of Critical Assets 

‍A comprehensive risk assessment identifies your critical assets so you can prioritize incident response efforts. Considerations include information such as:

• The criticality of the affected assets
• Types, and severity of different incidents
• How to preserve evidence
• How damage to each asset impacts business processes

‍

2. Developing Incident Response Procedures

Using NIST recommendations, outline your step-by-step incident response procedures from detection to action and roles and responsibilities to post-event activities.

‍

3. Testing and Training

You require ongoing testing, simulation exercises and training to ensure your steps are effective, your team is ready, and that each team member responds appropriately.   

4. Continuous Improvement

A feedback loop allows you to review your performance and identify weaknesses. Your post-event activity ensures you adapt your incident response plans based on the lessons learned. Mandatory meetings should include all relevant parties to identify every shortfall and challenge and opportunities for improvements based on hands-on experience.

‍

Best Practices for NIST Incident Response

‍

Best practices include:

• Define baseline systems and networks to understand the basics of “normal” activity that enable your team to identify breaches.
• Actively monitor for threat or vulnerability advisories such as threat landscape reporting, threat actor intents, possible targets, etc., for updates on courses of action and how to identify and block adaptive malicious behavior.
• Collect and preserve data as evidence for law enforcement and compliance, including:
  o   Incident verification
  o   Categorization
  o   Prioritization
  o   Mitigation
  o   Reporting
  o   Attribution

This information is also useful for post-event analysis to identify new indicators to further inform your response plan.

• Ensure the containment scope encompasses new signs of compromise to ensure your containment plan remains as effective as possible.
• Include a process that confirms remediation and restoration success to avoid further damage.
• Identify and protect any “blind spots” revealed from the incident to improve coverage.
• Conduct a lessons-learned analysis identifying the root cause, execution issues, and weak or missing policies and procedures.

The NIST incident response framework provides the details and best practices you need to develop an effective and constantly improving NIST Incident Response plan. Developing and implementing proactive incident response strategies is even more critical in the retail, ecommerce, and finance sectors.

Blameless helps teams streamline incident management, ranging from incident detection, role assignments, runbook checklists, retrospectives, reliability insights, and SLO management. Schedule a demo today.

‍