NIST 800-61 – Detection and categorisation of incidents based on impact and recoverability.

Detection: Recognizing the Signs of an Incident

Detection is the first crucial step in handling security incidents. The effectiveness of detection largely depends on the tools and systems you have in place, such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and firewalls. The level of logging and monitoring also plays a significant role. For instance, in cloud environments like Office 365, the extent of available logging depends on your subscription type, which can significantly impact your detection capabilities.

Local systems offer more control and flexibility. One of the recommended practices is enabling Sysmon (System Monitor) on Windows environments. Sysmon provides extensive logging capabilities, helping to capture detailed information about system activity. This additional logging can be invaluable during incident response, giving you a clear view of what transpired during an incident.

Information Impact: Assessing the Damage

Understanding the impact of an incident on your information assets is essential. The information impact can be categorized as follows:

  1. None: No information was exfiltrated, changed, or deleted.
  2. Privacy Breach: Sensitive, personally identifiable information (PII) was accessed or exfiltrated.
  3. Proprietary Breach: Unclassified proprietary information, such as protected critical infrastructure data, was accessed or exfiltrated.
  4. Integrity Loss: Sensitive or proprietary information was changed or deleted.

These categories help in determining the severity of the incident and the necessary response actions.

Recoverability: Evaluating Your Recovery Efforts

Recoverability is a crucial aspect often overlooked in incident handling. It refers to how well you can restore normal operations after an incident. NIST categorizes recoverability into four levels:

  1. Regular: Recovery is predictable with existing resources.
  2. Supplemented: Recovery is predictable with additional resources.
  3. Extended: Recovery is unpredictable, requiring additional resources and external help.
  4. Not Recoverable: Recovery is not possible, such as when sensitive data is exfiltrated and publicly posted.

Understanding these categories helps organizations plan their response and allocate resources effectively.

Escalation Process: Knowing When to Call for Help

The escalation process is vital in ensuring that incidents are managed promptly and effectively. Once an alert is received, the following considerations are crucial for escalation:

  • Severity of the Incident: How severe is the incident?
  • Impact of the Incident: What is the potential damage?
  • Types of Data Involved: What kind of data is affected?
  • Response Time: How quickly is the incident being addressed?

If the initial response team cannot manage the incident, it may be necessary to escalate it to higher management or involve external experts. This ensures that the incident is prioritized and addressed promptly.

Incident Notification: Who Needs to Know?

Effective communication is essential during an incident. Identifying the parties that need to be notified and the appropriate timing is crucial. The hierarchy of notification typically includes:

  • CIO
  • Head of Information Security
  • Local Information Security Officer
  • External Incident Response Teams (if applicable)
  • System Owners
  • Human Resources (for employee-related incidents)
  • Public Relations
  • Legal/Office of General Counsel
  • External Parties like AusCERT
  • Law Enforcement

Notification methods can vary from emails and phone calls to public notices, depending on the nature and severity of the incident.

Leave a Reply

Discover more from DFIR Insights

Subscribe now to keep reading and get access to the full archive.

Continue reading