Understanding incident management is essential in today’s cyber threat landscape. Discover the basics and frameworks for effective incident response.
TL;DR
- Prepare for cyber incidents using established frameworks.
- Engage in continuous information sharing.
- Categorize incidents effectively for better response.
- Utilize trouble ticket systems to manage incidents.
- Understand the roles related to incident response.
Incident Response Preparation is Critical
Cyber threats are inevitable, and preparation is key to minimizing damage.
With the increasing resources invested in cybercrime and state-sponsored malware, it’s inevitable that even the most cautious organizations will face an attack. The difference between minor inconvenience and disaster depends on how well-prepared the organization is to respond to the incident.
NIST Cybersecurity Framework Offers Structured Response
The NIST Cybersecurity Framework offers a structured set of control objectives under the functional area ‘Respond,’ consisting of five categories.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of control objectives under the functional area, Respond. This consists of five categories: Planning, Communicate, Analysis, Mitigation, and Improvements. The framework also includes a recovery function, which complements three of the Respond categories.
NIST SP 800-61 Guide Aligns with Framework
The NIST Special Publication SP 800-61 aligns closely with the NIST Cybersecurity Framework.
The five categories in the cybersecurity framework align closely with the four-stage incident handling process defined in the NIST Special Publication SP 800-61, Incident Handling Guide. Communication is not shown as a separate stage in the SP 800-61 but occurs throughout these stages.
Crest UK’s Three-Stage Model
Different models help structure incident management, including Crest UK’s three-stage model.
The NIST framework and SP 800-61 can also align with the three-stage model published by Crest UK, which consists of Prepare, Respond, and Follow Up. Regardless of the model used, a key aspect of incident management is information sharing.
Information Sharing is Vital
Sharing threat intelligence and operational responses is crucial during incident management.
Sharing information is crucial at all stages of incident management, including threat intelligence during preparation and operational responses during an incident. NIST established the Forum of Incident Response and Security Teams (FIRST) in 1990, which remains active today, supporting industry, government, and vendor communities.
CERTs’ Role in Incident Management
CERTs operate at national and international levels to manage and mitigate incidents.
Computer Incident Response Teams (CERTs) operate at a national level to protect government infrastructure and provide community advice on cybersecurity. For example, the US-CERT, part of the Department of Homeland Security, operates a 24/7 center to collaborate on incidents and disseminate notifications of current and potential issues. CERTs collaborate internationally through FIRST, maintaining communication channels and running training courses.
Standard Incident Categories are Helpful
Having standard incident categories helps in systematically addressing them.
Using a common language and set of templates for incidents is useful. The US-CERT defines seven categories of incidents:
- Category 0: Cyber exercises testing network defenses.
- Category 1: Unauthorized access to networks, systems, applications, or data.
- Category 2: Denial-of-service events impairing network functionality.
- Category 3: Installation of malicious software.
- Category 4: Breach of acceptable use.
- Category 5: Scans and probes looking for open ports, protocols, or services.
- Category 6: Unconfirmed but potentially malicious activity requiring further investigation.
Incidents don’t often appear in an obvious way for categorization, usually needing some form of investigation.
Trouble Ticket Systems Are Essential
Trouble ticket systems are vital for maintaining incident information from detection through resolution.
An important tool for incident management is the trouble ticket system, which keeps all relevant information on an event, from it being flagged as suspicious to becoming an incident and eventually being resolved. Here’s an example of a trouble ticket system called osTicket, displaying its list of open tickets.
Roles in Incident Response
Key roles in incident response include the cyber defense analyst, cyber defense incident responder, and cyber defense forensics analyst.
The US Cybersecurity and Infrastructure Agency runs the National Initiative for Cybersecurity Careers and Studies, publishing the NICE Framework, which describes three roles related to incident response:
- Cyber defense analyst: Runs vulnerability scans, monitors for attacks, and analyzes malware.
- Cyber defense incident responder: Investigates, analyzes, and responds to cyber incidents.
- Cyber defense forensic analyst: Analyzes digital evidence and investigates incidents.
Conclusion
Adequate preparation and structured response frameworks are essential for effective incident management.
Effective incident management is vital in the face of inevitable cyber threats. By preparing adequately, sharing information, categorizing incidents, utilizing trouble ticket systems, and understanding the key roles involved, organizations can significantly reduce the impact of cyber incidents. Staying informed and ready is the best defense.