Incident handling or Incident Response is an extremely important aspect of cybersecurity. It somehow shares a line between proactive cybersecurity and preventive cybersecurity. Kind of in the middle, but that doesn’t in any way diminish its importance in security.
In definitive terms, Incident handling is a clearly defined set of steps that are to be taken in response to a cybersecurity incident. To get a better grasp of this, you need to understand what an incident means, in a cybersecurity context.
An incident is an event happening on a system of network capable of causing disruptions to the normal flow of activities. So, a sudden power outage or a server breach can be classified as examples of cybersecurity incidents.
Now that we know what incidents mean in the context of cybersecurity, let’s get to see what handling these incidents typically entails and how it is done.
NIST CSF
Incident handling, like I wrote earlier, is a clearly defined set of steps. This indicates that there will be a standard, organizations and blue teamers all over the world follow in handling security incidents and here is where NIST CSF comes into the picture.
The National Institute of Standards and Technologies Cybersecurity Framework (NIST CSF) is a framework used by security professionals in the blue team to handle incidents.
The framework is updated periodically due to the dynamic nature of the industry, with the latest being NIST 2.0.
The NIST 2.0 differs from its earlier version with modifications to how incidents at various levels of the framework are handled and more especially, with the addition of the ‘Govern’ function.
Let’s go over the six functions of NIST 2.0 and see how each is useful in handling cybersecurity incidents.
Govern
The Govern Function deals with the organization’s strategies, plans and policies that affect how security is enacted in an organization.
It is essential to put a standard on how organizations should typically create their internal security policies as this in one way or the other affects the security posture of an organization.
I don’t want to be biased here, but I strongly believe that this Govern function is the building block of the remaining five, and I don’t know why it took this long for it to be promoted to the league of a core function. Well, it is here already and depending on how organizations adhere to it, especially the emphasis on Supply-chain attack, the others become more efficient.
Identify
The Identify Function concerns itself with identifying those assets that are more at risk and understanding what security hardening can be applied to make it more secure.
Assets can be anything from hardware network connecting devices, data (in all its states), people (including non-employees) to even other non networking devices (doors to servers, buildings, etc)
Knowing and classifying these assets into their risk ranges, ensures that the appropriate security measures are kept in place and that if an incident is detected, triaging becomes easier.
Protect
This is where the active phase of safeguarding those identified assets takes place. This function outlines methods for ensuring that the CIA triad is not compromised.
Some of these methods are Access Control, Authentication and its types, Privilege Granting, etc.
With the protect function, blue teamers can have an idea on how to respond to incidents affecting active security instances.
Detect
Systems must be in place for timely and accurate information on when an incident is taking place or more likely to.
This function involves the use of methods like EDR, SIEM, Firewall rules, IDS/IPS to actively scan for Indicators of Compromise on network or systems, send alerts to the appropriate team and in some cases, block them as seen in Firewall and IPS.
Detecting must be done for immediate response to take place.
Respond
When a cybersecurity incident occurs, it must be promptly contained to prevent it from spreading and causing more harm, this is what the Response function deals with.
It involves the techniques used to respond to incidents, some of which include, the use of organization’s playbooks, mitigation, escalations and triaging.
If a power outage suddenly happens, the team in charge should promptly inform those in charge of power as that is a form of communication which under NIST CSF, falls into the Respond function. Oftentimes, what to do under this function is outlined in the playbook which is a valuable tool in incident response.
Recover
After the response to security incidents, recovery must now begin to set in. its duration isn’t fixed and it is often the longest. Data from backups are now being retrieved, shut down systems are now being turned on and critically infected devices can now either be permanently moved away and replaced or brought back, if they’ve thoroughly passed safety checks.
Additions:
There are certain methods that overlap with different functions under these six. Investigation as an instance can be done at any of the core functions if there is need for it. Sometimes, even after the entire incident has been handled and past the recovery stage, investigation can be summoned to verify certain unclear things regarding the incident.
To view the CSF document, check here.
Ending Notes
Incident Handling can be quite complex, but when followed dully, especially with this framework, the bluff jargon gets eliminated and clarity begins to set in.
As an advice, it is better to be prepared and constantly review all laid down steps as the industry grows by the hour. Besides, you can still make slight modifications on how Incident Handling is done based on the NIST framework to better suit your organization, that’s the flexibility it offers.