NIST Incident Response and Recover Phases

In the week when the U.S. Secret Service appears to have concluded that the recent Presidential election was subverted by state sponsored hackers it is becoming clearer to the wider world that businesses need to have an incident response plan. Such a plan is very much in line with the NIST Cyber Framework under the category Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome categories within this function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

In this blog I will also focus on the NIST Cyber Framework guide to Recovery in the wake of a cyber incident. According to NIST the “Recover” phase should develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event.

Respond and Recover phases are especially important: consultancy firm Grant Thornton estimated at the end of last year that the global total cost of cyber-attacks on businesses stood at $280 billion in 2016, while the number of affected businesses increased 6% on last year to 21% of the sample.

‘Loss of reputation’ was the primary cited impact of a cyber-attack by 29% of respondents.’ Cyber insurance, touted to be one of the fastest growing crisis insurance segments, remains relatively underutilized, 52% do not have cyber insurance, and 35% do, while 13% are not aware of possible coverage. The industry itself remains in its nascent stages, with vendors still devising the best way to protect companies, particularly large companies.

Incident response plans (IRP) are increasingly mentioned and required by regulators, while Lloyd’s Minimum Standards also have them in their sights.

What is an IRP though?

My organisation’s take on the response phase is that it is all about what needs to be done if an incident were to occur right now. Who would we have to notify? What resources – people, facilities, hardware, office space, internet connections - would we need to have in place achieve a desired outcome? To identify the incident is to do the triage on it and move into the recovery stage.

The Communications aspect of the response is knowing who you are communicating with and what the necessary scale of response might be, for example, in Fifth Step we regularly tests our business continuity alert system that to alert all members of staff of an incident. So if there was a fire at our Birchin Court office, for example, we would send out an alert cascade message as a text and also phone call with an advisory, something like:

“There is a fire incident at Birchin Court, members of staff should leave the office. Do not go to Birchin Court at that time.” Employees then have to reply to the text to say they have received it and on voice mail press one or two. So we’ve communicated to a chosen user group, our staff and we also have auditable record of who received the message and when. The same might apply during a serious cyber breach.

You also have other stakeholder groups such as investors and customers, vendors all of whom need to be communicated to.

BCP is combined with the Disaster Recovery plan that you call into effect in response to the incident so, again, you triage the problem – is it a fire, a flood, a break in? If it’s the cyber equivalent of a break in have thieves stolen anything or merely broken the “digital entry door” because they can’t get any further?

That informs the communications response, which may be either the phone, via the police or fire brigade with the response being even to initiate remote location if it is serious. Inform the senior management team know that we are re-locating to the back-up office. Analysis as part of NIST is the triage stage, how you are going to analyse and categorise the incident and how severe is it? In my next blog on this I look at the Mitigation phase of a cyber incident.