NIST CRIED: The Four Steps of Incident Mitigation

March 1, 2017

Mike Tyson notably said, “Everyone has a plan ‘till they get punched in the mouth.” So, how do you ensure the same doesn’t hold true for your company’s incident response plan when a real breach occurs? Enter the NIST Framework category titled Mitigation.

Faced with an actual intrusion, companies would do well to focus on executing four immediate incident response steps. Taken together, their initials form the acronym CRIED:

Contain. Even if your company quickly detects a problem, it doesn’t take much time for hackers with escalated privileges (or self-propagating worms acting independently) to make things a lot worse. At its core, containment efforts look to stop further harm. While your organization searches for malware, unauthorized users and suspicious network activities, it may need to block certain accounts, websites and services, up to and including restricting network connectivity for certain groups of users, suspending Internet access, changing passwords, closing ports and mail servers, or physically isolating some computers by disconnecting them from the network.

Reduce Impact. Unfortunately, a number of containment actions won’t only frustrate the hacker, they’ll also interfere with employee productivity and the delivery of your company’s products and services. Information security professionals should discuss these possibilities in advance with business managers and IT personnel so they can ensure continuity of operations during incident remediation. This stage may include graceful degradation of certain systems, having other systems operate only locally or in manual mode, provisioning new standalone equipment, creating alternate email accounts or temporarily leasing third-party services.

Eradicate. Typically, eradication refers to the removal of any malware used in an attack, and patching any vulnerabilities (across the network) that enabled the attack or could result in a repeat of the same type of attack. It also can mean kicking out hackers who have obtained or created account credentials, as might be accomplished by deleting fake user names, resetting passwords and requiring two-factor authentication. Lastly, it is not uncommon to find additional vulnerabilities during incident response, and these need to be categorized and addressed according to existing vulnerability scanning protocols.

Document. When faced with an incident, it is immediately important to ensure network logging capabilities are enabled and logs are preserved. Organizations also should consider imaging affected computers for later analysis, which will assist in forensic analysis and be of potential value for law enforcement efforts. Finally, incident handlers should attempt to identify and document what computers were unlawfully accessed, the origins of the attack, whether and what malware was used, what connections were made with the system, and whether data was taken, altered or destroyed.

Although real world scenarios almost always deviate somewhat from plan, let’s close with the words of Vince Lombardi: “It’s not whether you get knocked down. It’s whether you get up.” By following the four steps of Mitigation, your company will be better prepared to take a hit, brush itself off, and get back to business.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

Organized Retail Crime (ORC) is a serious problem that has been on the rise for several years. The unprecedented event of the current pandemic will rival or even exceed any previous events. If COVID-19 by itself wasn't bad enough, add civil disturbance, bail reform, and the state of law enforcement, and you have a perfect storm.

Security Magazine

2020 August

This month in Security magazine, we examine how physical security leaders are being propelled into a unique position of revenue preservers and risk managers for their businesses. In addition, we profile Scott Ashworth, Director of Security for Atlanta United. Also, security leaders discuss how to develop cybersecurity careers, election security, data protection strategies, measuring and reporting security operations maturity and more!

View More Create Account

NIST CRIED: The Four Steps of Incident Mitigation

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

Managing Supply Chain Risk

Security Magazine

2020 August

NIST CRIED: The Four Steps of Incident Mitigation

Recent Articles by Steven Chabinsky

Related Articles

Related Products

Report Abusive Comment