NIST Recommendations for Computer Security Incident Handling

NIST Recommendations for Computer Security Incident Handling

Computer security incident response is a very important component of information technology programs. Because performing incident response effectively is a complex and time-consuming task, establishing a successful incident response capability requires substantial planning and resources. The NIST Computer Security Incident Handling Guide provides in-depth guidelines on how to build an incident response capability within an organization.

So, in this blog, we will talk about steps defined by NIST to approach Security Incidents Handling. The NIST incident response lifecycle breaks incident response down into four main steps: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity

Now, let’s take a look at each step individually.

 

1.Preparation:

NIST’s Incident response methodologies typically emphasize the preparation part by giving many guidelines for establishing an incident response capability so that the organization is ready to respond to incidents when needed. Along with that it also emphasizes preventing incidents by ensuring that systems, networks, and applications are sufficiently secure.

The below image provides the starting point that is very useful during the preparation of incident handling.

Keeping the number of incidents sensibly low is vital to secure and protect the business processes of the organization. Incident response teams are generally not responsible for securing resources, but they may be able to identify problems that the organization is not mindful of. This can be very significant for risk assessment as it helps to identify gaps.

The National Software Reference Library (NSRL) Project maintains records of hashes of various files, including operating system, application, and graphic image files. The hashes can be downloaded from http://www.nsrl.nist.gov/. 

 

2.Detection and Analysis:  

The most challenging part of the incident response process is accurately detecting and assessing possible incidents. To make it more manageable we can look into signs of an incident.

Once an incident is detected, every organization should have step-by-step instructions to be prepared to handle any incident. Incident can happen in countless ways, but some common attack vectors are covered here, which can be a starting point in the development of specific handling procedures.

When an alert is suggesting that an incident has occurred, the team should rapidly perform an initial analysis to determine the incident’s scope. Performing the initial analysis and validation is very challenging, so we have covered some basic recommendations.

Immediately after an incident is suspected, it should be documented properly.

The most critical decision point in the incident handling process is to Prioritize how an incident handling will take place. According to NIST, Incidents should not be handled on a first-come, first-served basis, because it will result in resource limitations. Instead, it should be prioritized based on the relevant factors, such as the following:

When an incident is analyzed and prioritized, the incident response team needs to notify the appropriate people so that all who need to be involved will play their roles. The exact reporting requirements can vary in every organization, but we have a list of people that are generally notified.

 

 3.Containment, Eradication, and Recovery: 

Once an incident is detected, it can easily overwhelm resources and that may increase damage. That’s where containment comes, as it provides time for developing a step-by-step remediation strategy. An essential part of containment is decision-making (for example, which system to shut down, which system should be disconnected from a network, which functions should be disabled for how much time etc…).

After an incident has been contained, Eradication and recovery should be done in a phase because at that time all the remediation steps need to be prioritized. For large-scale incidents, recovery may take several weeks to months. So, the early phases of recovery should only be focused on increasing the overall security with relatively quick (days to weeks) high-value changes to prevent future incidents.

 

 4.Post-Incident Activity : 

The last part of the NIST incident response methodology is learning from previous incidents to improve the process. So after remediating an incident, the organization should take steps to identify and implement any lessons learned from that incident.

Lessons learned activities should produce a set of objective and subjective data regarding each incident. Over time, the collected incident data can be useful in identifying security weaknesses and threats, as well as changes in incident trends. This data can also help develop the risk assessment process, which all can help in the determination and execution of extra controls.

 

Incident Handling Checklist:

The checklist provided the following covers the major steps to be performed in the handling of an incident. Actual steps performed may vary based on the type of incident and the nature of individual incidents, but this can be taken as a guideline provided by NIST.

 

Recommendations:

The key recommendations presented in the NIST document for handling incidents are summarized below.

 

References:

https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

89 Comments

  1. Pingback: do my essay for cheap
  2. Pingback: essay writing services online
  3. Pingback: national honor society essay help
  4. Pingback: custom essays writing service
  5. Pingback: english literature essay help
  6. Pingback: cheap essay writer service
  7. Pingback: website for essay writing
  8. Pingback: buy argumentative essay
  9. Pingback: help write essay online
  10. Pingback: cheap essay writers
  11. Pingback: essay writer service
  12. Pingback: best mba essay editing service
  13. Pingback: online pharmacy generic viagra
  14. Pingback: online pharmacy no prescription needed percocet
  15. Pingback: cialis online pharmacy no prescription
  16. Pingback: percocet indian pharmacy
  17. Pingback: botox online pharmacy
  18. Pingback: tadalafil tablets 20 mg side effects
  19. Pingback: sildenafil 100mg mexico
  20. Pingback: cialis over the counter at walmart
  21. Pingback: elitenet tadalafil
  22. Pingback: lowest price generic viagra
  23. Pingback: buy tadalafil cheap online
  24. Pingback: seldenafil
  25. Pingback: where can i buy viagra online in canada
  26. Pingback: sildenafil otc australia
  27. Pingback: viagra generic canada price
  28. Pingback: is generic cialis available in canada
  29. Pingback: buying cheap cialis online
  30. Pingback: tadalafil 2o mg cvs
  31. Pingback: indian pharmacy provigil
  32. Pingback: pharmacy no prescription required
  33. Pingback: viagra tablet price online
  34. Pingback: when will generic cialis be available in the us
  35. Pingback: 100mg sildenafil no prescription
  36. Pingback: cialis coupon online
  37. Pingback: review of tadalafil
  38. Pingback: inhouse pharmacy accutane
  39. Pingback: buy canadian generic viagra online
  40. Pingback: where to buy viagra in canada
  41. Pingback: female viagra tablet price
  42. Pingback: buy viagra australia online
  43. Pingback: order cheap viagra
  44. Pingback: how to buy viagra online in canada
  45. Pingback: is there generic cialis
  46. Pingback: cialis without a doctor prescription reddit
  47. Pingback: buy dapoxetine with cialis
  48. Pingback: how long does tadalafil take to work
  49. Pingback: gabapentin sciatica
  50. Pingback: bactrim yasmin
  51. Pingback: grafazol metronidazole
  52. Pingback: valtrex contains
  53. Pingback: lyrica tolerance
  54. Pingback: tamoxifen hitzewallung
  55. Pingback: lisinopril estrogen
  56. Pingback: furosemide infants
  57. Pingback: metformin mellékhatása
  58. Pingback: semaglutide vs liraglutide
  59. Pingback: cost rybelsus
  60. Pingback: rybelsus uses and side effects
  61. Pingback: switching from lexapro to zoloft
  62. Pingback: can you take keflex for ear infection
  63. Pingback: cymbalta and lupus
  64. Pingback: duloxetine overdose amount
  65. Pingback: doxepin gabapentin
  66. Pingback: cheap viagra australia fast delivery
  67. Pingback: azithromycin names
  68. Pingback: allergic reaction to cephalexin
  69. Pingback: smz/tmp ds tab 800-160 same as bactrim
  70. Pingback: what does amoxicillin treat
  71. Pingback: over the counter flexeril
  72. Pingback: augmentin 625
  73. Pingback: amitriptyline generic
  74. Pingback: can you take colchicine and allopurinol together
  75. Pingback: what are the side effects of baclofen
  76. Pingback: what is celecoxib taken for
  77. Pingback: bupropion pregnancy
  78. Pingback: augmentin
  79. Pingback: is diltiazem an ace inhibitor
  80. Pingback: associazione metformina e repaglinide
  81. Pingback: protonix ingredients
  82. Pingback: effexor dose range
  83. Pingback: tizanidine prices
  84. Pingback: abilify alternatives
  85. Pingback: robaxin and percocet high
  86. Pingback: actos racionales
  87. Pingback: venlafaxine cost without insurance cvs
  88. Pingback: remeron contraindications
  89. Pingback: sitagliptin with glipizide

Comments are closed.

Copyright © 2023 Clear Infosec. All Rights Reserved.