Introduction to Incident Response

Hello friends! I need to apologize for my disappearance few weeks or maybe months back. Happy new year everybody and happy lunar new year to people who are celebrating.

Photo by Kelly Sikkema on Unsplash

Let me tell a short story about what have I been doing for the last couple of weeks. I am now working as a cyber risk assurance consultant associate and now, I am in charge of a client to do a cybersecurity assessment using NIST, you can see the resources here. Anyway, I am only responsible for the last 2 parts of the framework, the “respond & recover” domain. Because of that, I have read some documents and I hope from this post and several posts ahead, I can sum up some valuable information (of course, based on my understanding) in a more casual way. I hope you enjoy reading! Let’s get started.

Incident response and recovery is not an exclusive part. It is also tied up with the previous domains in NIST CSF (“identify”, “protect”, “detect”). So, the context is, you have identified all the assets and understood what is your crown jewels. Then you try to protect it by employing several controls like encryption, SSDLC, etc. However, you know that this control will not sufficient since the cyber world is developing rapidly, and you acknowledge that one day, your control is not capable to guard your assets especially your crown jewels. With that in mind, you set up some detection capabilities in order to recognize if your organization is under attack so you can respond accordingly in a timely manner (fingers crossed we can prevent it immediately). However, if things go bad, you are ready to respond and as quickly as possible recover the situation so the impact on the organization can be minimized. That is a brief view of the framework. As you know, the best response to the incident is to prevent it to be happening in the first place or to recognize it sooner, so we do not have to deal with losses.

If we take out the “incident response and recovery” out of the framework, we will be talking about how to minimize the impact when the incident occurs by ensuring our readiness to handle the incident.

The definition of the incident itself is, any activity that is caused by malicious intent that disrupts the CIA triage, confidentiality, integrity, and availability. So please keep in mind that disaster which is usually caused by non-malicious intent or even natural disaster is pretty out of the scope of this domain. Actually, it might befit a little under the “recover” domain, but not in the “respond” domain.

Based on the NIST CSF, the “respond” domain has 5 categories with 16 sub-categories and the “recover” domain has 3 categories with 4 sub-categories. This series will not go through one by one cause it will be boring, but instead, will explain holistically so we can see the correlation between categories, sub-categories in both domains. Based on my understanding, all the sub-categories help us to ensure our readiness.

Anyway, please keep in mind that my understanding might be changed in the future since I am still growing up and trying to understand more and deeper. Suppose there is any other revision, I will post the updates and announce it to you. So that is for the introduction, see you in the next post!