Module 2: Fundamentals of Incident Response

Incident Response Frameworks

Incident Response in IT and Cybersecurity

ITIL Frameworks for Incident Management
Information Security Management Framework
Frameworks Hierarchy

CREST Model of Incident Management

The CREST model of Incident Management
ISO 27035 Incident Management Model

NIST Special Publication 800-61

NIST Inicdent Response Lifecycle
Information Sharing Relationships

SANS Model of Incident Response

Incident Management Model Mapping

Roles and Responsibilities of Incident Response Teams

The SOC Role in Incident Response

Typically a SOC is organized into three teams (or levels) with various responsibilities.

SOC Level 1

Staffed by Cyber Defense Analysts who monitor the organization 24x7. Tasked with checking logs and alerts for events which require attention, triaging those events to identify potential incidents and assigning initial priorities.

The NICE work role for a Cyber Defense Analyst is: "Uses Data collected from a variety of cyber defense tools (e.g. IDS alerts, firewalls, network traffic logs) to analyze events that occur within their environment for the purposes of mitigating threats".

SOC Level 2

Staffed by Cyber Defense Incident Responders. Tasked with investigating event escalations (from SOC Level 1).

The NICE work role for a Cyber Defense Incident Responder is: Investigates, analyzes, and responds to cyber incidents within the network environment or enclave.

SOC Level 3

Staffed by Cyber Defense Incident Responders and Cyber Defense Forensics Analysts. Tasked with providing deeper technical incident investigation expertise and managing incidents that might require significant time or external resourcing to resolve.

The NICE work role for Cyber Defense Forensics Analysts is: "Analyzes digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation".

Structure of an Incident Response Team

Most common structures of an incident response team:

  • Part-Time. While an Incident Response Team will need to be available 24x7 to respond to incidents, it does not need to be a full time role for team members. Specific staff may be designated as Incident Handlers as and when an incident occurs, and remain on call outside normal business hours. For example, a Windows System Administrator may be the business-as-usual Incident Handler for routine Windows events that require investigation, while the Help Desk acts as the initial point of contact for incidents. In this case, the senior Incident Handler would be appointed as the Incident Response Team Manager in the event of a major incident.

  • Full-Time (SOC). When full-time staff are employed as Cyber Defense Analysts and Cyber Defense Incident Responders, they typically operate as a Security Operations Center (SOC) for the organization. This is commonly observed in medium and large enterprises. The Incident Response Team Manager act as the SOC Manager, and the staff serve as Incident Handlers.

  • Distributed. In larger organizations, a central SOC may be supported by multiple regional teams of Cyber Defense Incident Responders, or multiple regional SOCs may engage with their own Cyber Defense Analysts and Cyber Defense Incident Responders.

  • Outsource. In addition to using its own staffing, an organization may outsource some aspects of its incident response. In particular, Security Monitoring is a common third-party service offering which relieves an organization of the cost of setting up its own team of Cyber Defense Analysts. An organization may also retain a third party to handle major incidents through an Incident Response service. Typically, with full outsourcing, a member of staff would be responsible for coordinating all internal actions in support of the Incident Response Team Manager.

Responsibilities of the Incident Response Team

NICE Cyber Defense Incident Responder Skills

NICE Code
Description

S0003

Identify, capture, contain and report malware

S0047

Preserve evidence integrity

S0077

Secure network communications

S0078

Recognize and categorize vulnerabilities and associated attacks

S0079

Protect a network against malware

S0080

Perform damage assessments

S0173

Use security event correlation tools

S0365

Design incident response for cloud service models

NICE Cyber Defense Incident Responder Responsibilities

NICE Code
Description

T0041

Technical assistance in resolving incidents

T0047

Recommend remediation actions

T0161

Analyze log files to identify threats

T0163

Triage to determine scope, urgency and impact

T0164

Perform cyber defense trend analysis and reporting

T0170

Perform forensically-sound evidence collection

T0175

Perform real-time cyber defense incident handing

T0214

Analyze network alerts

T0233

Track and document incidents through to closure

T0246

Develop cyber defense guidance and incident reports

T0262

Employ approved defense-in-depth practices

T0278

Collect intrusion artifacts

T0279

Liaise with law enforcement when required

T0312

Coordinate with threat intelligence analysts

T0395

Write post-incident reports

T0503

Monitor and assess external threat sources

T0510

Coordinate incident response functions

The Role of Forensics in Incident Response

Typically done by a Cyber Defense Forensics Analyst.

PreviousModule 1: Incident Response OverviewNextModule 3: Phases of Incident Response

Last updated