Understanding Incident Response Frameworks - NIST & SANS

The term Incident Response refers to the processes and policies an organization utilises in response to a cyber incident such as an attack or data breach. The goal of Incident Response is to mitigate the damage of an attack i.e. reduce the recovery time, effort, costs and reputational damage associated with a cyber-attack or data breach. Apart from mitigating various consequences of a cyber attack, the process of Incident Response can help organizations prevent future attacks that threaten their information security. 

Every organization should have an Incident Response or IR plan that helps them identify, contain and eliminate cyberattacks. IR plans outline what constitutes an attack and provide organisations with a clear guide on what steps should be taken if an incident were to occur. 

Incident Response Frameworks

The purpose of an Incident response framework is to assist organizations with the creation of standardized response plans. These frameworks are commonly developed by large organizations with a significant amount of security expertise and experience. Two of the most well-known examples are the Incident Response Frameworks created by the National Institute of Standards and Technology (NIST) and the SysAdmin, Audit, Network and Security Institute (SANS). Below is an outline of each of these Incident Response Frameworks: 

Lock Down Your Cybersecurity & Compliance

Protect, Certify & Grow Your Business

Make sure your business is prepared in event of a security incident, and avoid the financial, reputational and legal repercussions associated with a cyber breach or attack. StickmanCyber can help build a robust incident response plan for your business.


NIST Incident Response Framework

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation's oldest physical science laboratories. As part of their cybersecurity initiatives they created an Incident Response Framework, which quickly became one of the most popular solutions for organizations around the world. The framework provides organizations with detailed steps on how to create an incident response plan, form an incident response team, communication procedures as well as training scenarios for employees

The Incident Response Cycle 

NIST defines a four-step process for incident response, the process puts emphasis on the fact that incident response is not a linear process that starts when an incident is detected and ends with eradication and recovery. Instead, incident response is a cyclical activity, a process of continuous learning and improvement to discover how to better defend the organization against cyber attacks.

The four steps of NIST Incident Response:

#1 Preparation 

This involves organizations doing a thorough inventory of their IT infrastructure including, networks, servers and endpoints, and evaluating their importance. To evaluate importance organizations need to judge which IT assets hold critical or sensitive information. Along with this, organizations need to create a baseline for normal activity through monitoring. As part of preparation, security teams also need to create a guide for how to deal with common types of incidents and identify which types of incidents require thorough investigation.  

#2 Detection and Analysis 

Detection involves collecting data from IT systems, security tools, publicly available information and people inside and outside the organization, and identifying signs that an incident may happen in the future (precursors) and data showing that an attack has happened or is happening now (Indicators).

The analysis involves identifying a baseline or normal activity for the affected systems, correlating related events and seeing if and how they deviate from normal behaviour.

#3 Containment, Eradication, and Recovery

The goal of containment is to limit the impact of a security incident, without proper containment incidents can spread across an organisation's systems and networks, giving unlimited access to malicious actors. An organization’s containment strategy can depend on the level of damage an incident can cause, the ability to continue servicing customers, the ability of employees to continue operating and the duration of the solution. Depending on these factors organizations may decide to utilise a temporary solution versus a permanent one. 

After the incident has been successfully contained, organizations are required to eradicate the incident, this can be achieved by removing all elements of the incident from the environment. For example, identifying all affected hosts, removing malware, and closing or resetting passwords for breached user accounts are examples of eradication. 

Finally, once the threat is eradicated, restore systems and recover normal operations as quickly as possible, taking steps to ensure the same assets are not attacked again.

#4 Post-Incident Activity

A key part of the NIST Incident Response methodology is learning from incidents to improve the overall response process. Security teams need to ask questions surrounding the incident response process such as: What happened? How well did we deal with the incident? Were processes followed and did they suffice? What went wrong in the response process? What can we do differently next time? Etc. These are a few examples of questions that can be asked during post-incident activity, answers can be used to improve the process, adjust an organization’s incident response policy, plan, and procedures as well as fine-tune research undertaken in the preparation stage of the cycle. 

SANS Incident Response Framework

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. One of the main contributions the SANS Institute has made to cybersecurity is their Incident Response Framework, which has also garnered praise from organizations around the world for its comprehensiveness. The SANS Institute published a 20-page handbook that lays out a structured 6-step plan for incident response. Below is a brief summary of the process.

The SANS Incident Response Process consists of five steps:

#1 Preparation 

This involves organizations performing reviews over their security policy, which typically involves risk assessments to identify vulnerabilities, sensitive assets and areas of focus in terms of security incidents. In this stage organizations also work towards forming a Computer Security Incident Response Team or CSIRT in short. 

#2 Identification 

In this stage, security teams monitor systems and networks to identify any suspicious activity taking place during day to day operations, in the hopes of discovering any premature security incidents. If an incident is to be discovered, security teams should document everything, e.g. the nature of the attack or it’s origin. 

#3 Containment 

If an Incident is identified the next step that follows is containment, security teams need to work towards isolating the attack and preventing it from spreading. This can involve segmenting a network under attack as part of short term containment. Once short term measures are in place, security teams can focus on long term solutions or fixes which may involve rebuilding entire systems. 

#4 Recovery 

This step involves bringing back affected systems that were taken down over the period of the incident. Security teams should test and monitor affected systems to ensure that attacks don’t repeat and that normal functionality is achieved.  

#5 Lessons Learned

Shortly after the attack, teams need to look back and evaluate how the incident was handled and analyse how the incident response process can be improved for future incidents. 

Now that you know about IR frameworks, you can take a look at some of the incident response best practices that organisations should follow.

Does your company currently have an incident response plan in place? StickmanCyber's expert team can help review your current cybersecurity setup and set up the right incident response plan to secure your business.

The First Step is Crucial. Start with a Cybersecurity Assessment

Where are you at your cybersecurity maturity journey? Get an assessment of your current security posture and identify the gaps and challenges that you need to act upon.


Similar posts


Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.