NIST Incident Response Plan & Playbook

Cyber Security Incidents – 2020 Statistics

  • Business Email Compromise / Email Account Compromise Scam Costs $26 Billion (As per Federal Bureau of Investigation (FBI) Internet Crime Complaint Center’s (IC3report )
  • More Than $3.5 Billion lost to global cybercrimes last year – FBI IC32019 Internet Crime Report
  • Thanks to its global products, Apple is ‘apple’ of brand impersonations cyberattackers’ eyes. Others are Netflix and Yahoo. The trinity accounts for 25% on impersonations attacks. Here is the proof 
  • Online payment fraud estimated to touch $25 billion annually by 2024
  • Approximately $1.4 Million Per Attack can be saved by businesses’ cyber security prevention efforts 
  • In the 2019, 94% of malware was delivered by email. (Verizon)
  • Global spending on cybersecurity to reach $133.7 billion in 2022. (Gartner)
  • 71% of breaches were financially motivated and 25% were motivated by espionage.  (Verizon

What is Cyber Security Incident response and Management?

Simple definition of cyber security Incident response is the systematic and effective approach or methodology to respond and recover from cyber security incidents, breaches, and cyber threats.

The core objective of cyber incident response procedures and management is to empower IT and security professionals with a well-defined and managed approach to identify, address, minimize and mediate the cost of cyber-attacks.

A typical high-level incident response process
A typical high-level incident response process

By the same token, an incident response plan (which will be discussed in the subsequent sections) becomes very useful in fixing the cause to prevent future attacks so that damage control and reduction are planned.

Who is responsible for Cyber incident response activities?

Computer Security Incident Response Team (CSIRT) is a centralized function/team (an organizational entity i.e., one or more staff) or group which takes care of cyber incident response and management activities.

The CSIRT team comprises of expert professionals (IT staff, human resources, lawyers, or public relations etc.) which handles the various problems, that could arise during or from an incident, and responds to computer security incidents from reoccurring.

What is the purpose of goal of incident management?

Cyber incident management is directly proportional to your data, public trust, reputation, and a potential business loss.

The immediate response, also known as Triage, could lessen the risks of being a victim of security breach and this makes it the critical part of a successful security program.

Computer Security Incident Response Team Development and Evolution
Computer Security Incident Response Team Development and Evolution

The primary goal or purpose of cyber incident management process, within an IR plan, is to resolve incidents, by managing the lifecycle of all events, and restore business processes and service operation quickly.

Incident response step by step instructions help in:

  1. getting back to business operations system
  2. Minimizing losses by response   rather than react.
  3. Resolving resolutions for vulnerabilities fastly
  4. Being ready with robust security, in place, for the impact of a security incident

NIST Incident Response Team Models

The role of a computer security incident response team (CSIRT) is to achieve excellence in detection, containment and eradication of a computer security event or incident.

CSIRT roles and responsibilities make sure that potential cybersecurity-related emergencies do not lead to any damage to critical data, assets, and information systems.

Equally important, for security incident team is to work for response and recovery activities also. And who does this? NIST SP 800-61 document suggests three models of CSIRT team for computer security incident handling:

  1. central team.
  2. distributed teams.
  3. coordinating team.

The key differentiator of the 3 abovementioned NIST incident response teams lies in how big/small an organization is and its branches (geographical locations).

Understanding NIST Incident Response Team Structures

Just like every organization is different in approach, NIST incident response teams also differ – according to company size and geographical presence.  

  • Central Incident Response Team
  • Distributed Incident Response Teams
  • Coordinating Team

What is Central Incident Response Team?

As the name suggests, it is one central team, within an organization, which takes care of all incident response-related activities by itself.

What is a Distributed Incident Response Teams?

This model is not ‘centralized’ and it has multiple teams, hence ‘distributed’. In this incident handling team structure, incident responders work in separate teams and each team takes care of a division (for example, an IT infra or department).

This gels well with computing resources which are spread over wide area (or locations) in nature i.e. do not reside at one special place/organization.

What is a coordinating incident response team model?

This approach of team is ‘coordinated’. It means there is no ‘boss-team’ and every incident response team works in tandem with other incident response teams. No tussle, no friction, and no authority.

As we have some idea about NIST incident response team and its structures, let us deep dive into to understand phases of incident response – suggested by NIST.

NIST Incident Response Steps

There are four important phases in NIST cyber security incident response Lifecyle.

  • Step 1- Preparation
  • Step 2 – Detection and Analysis
  • Step 3 – Containment, Eradication, and Recovery
  • Step 4 – Post-Incident Activity

NIST IR Step #1- Preparation

NIST Special Publication (SP) 800-61 “Preparation” phase

In this initial phase, NIST preparation stage is all about being well-prepared to handle and prevent security incidents.

Cyber Incident Response Preparation
Cyber Incident Response Preparation

It is very important to be plan, much in advance, in incident response methodologies. It could be directly proportional to reduced probability of an incident occurring and the ‘readiness’ helps in minimizing loss and destruction.

So, implementation of controls based on the results of risk assessments (to identify potential systems vulnerabilities) holds the key. Also important is security of systems, networks, and applications.

An organization preparedness to respond to incidents reflects in its selection of right tools and right processes before an incident occurs.   One thing which should not be ignored in ‘Preparation’ phase is security of your ‘Crown Jewels’ – assets which need to be away from the prying eyes of cyber incidents.

NIST IR Step #2 - Detection and Analysis

NIST SP 800-61 “Detection and analysis” phase

Cyber Incident Detection and Analysis
Cyber Incident Detection and Analysis

This is where you become James Bond.

The incident response teams ‘detect’ signs of incident, irregular activities, and potential attack vectors.

This leads to incident analysis which is to make sure whether an event is an incident is serious enough to disturb the confidentiality, integrity, and availability (CIA) of an information system.

This not just helps in setting up a prioritized order of handling incidents but also helps in understanding them to take care of the affected systems.

NIST IR Step #3 - Containment, Eradication, and Recovery

By this stage, we have fair idea about identification and prioritization of incident.

So, next step is to get into ‘Containment’ which is about to keep the incident under control or within limits from doing any damage. 

NIST Incident Response - Step 3 - Containment, Eradication, and Recovery
NIST Incident Response - Step 3 - Containment, Eradication, and Recovery

This becomes a crucial reality in understanding level of level of severity of the incident to cause any damage. Identification of attacker’s host and the IP address not just help in getting the crucial information about threat actor but also finding the application, in an information network, he trying to get into.

It is time to switch to Eradication and Recovery

Right after containment of the incident, the IR team is all set to mitigate the vulnerabilities from the environment. 

Be it affected hosts, removing malware, or simply resetting passwords – the process takes care of data breach to get system back to its known-good state.

The cyber security incident response cycle comes from the NIST guidelines gives you a structure for dealing with an incident. We will go into more detail now. Just because you have an alert you do not call the entire incident response team together.

NIST SPO Standard Operating Procedure)

NIST IR Step #4: Post-Incident Activity

NIST “Post-incident activity phase”

In other words, the last stage of NIST incident response lifecyle is about “lessons learned”, also  considered as postmortem, is all about learning from what security incident actually happened, why a computer security incident happened and what could be possible measures to curb such incidents to occur place in future.

Incident Management and Control Process Example


Purpose is not to trigger any blame but ask following important questions:

Incident Response Time

Has the computer security incident response team invested (good) enough time to analyze and close security incident case(s)?

Incident Response Team

What was the performance of Security Incident Response Team? How efficient was the team staff in dealing with the incident?

Incident Response Documentation

Were proper documentation procedures followed to collect the information related to the incident?
Scroll to Top