NIST CRIED: The Four Steps of Incident Mitigation

March 1, 2017

Mike Tyson notably said, “Everyone has a plan ‘till they get punched in the mouth.” So, how do you ensure the same doesn’t hold true for your company’s incident response plan when a real breach occurs? Enter the NIST Framework category titled Mitigation.

Faced with an actual intrusion, companies would do well to focus on executing four immediate incident response steps. Taken together, their initials form the acronym CRIED:

Contain. Even if your company quickly detects a problem, it doesn’t take much time for hackers with escalated privileges (or self-propagating worms acting independently) to make things a lot worse. At its core, containment efforts look to stop further harm. While your organization searches for malware, unauthorized users and suspicious network activities, it may need to block certain accounts, websites and services, up to and including restricting network connectivity for certain groups of users, suspending Internet access, changing passwords, closing ports and mail servers, or physically isolating some computers by disconnecting them from the network.

Reduce Impact. Unfortunately, a number of containment actions won’t only frustrate the hacker, they’ll also interfere with employee productivity and the delivery of your company’s products and services. Information security professionals should discuss these possibilities in advance with business managers and IT personnel so they can ensure continuity of operations during incident remediation. This stage may include graceful degradation of certain systems, having other systems operate only locally or in manual mode, provisioning new standalone equipment, creating alternate email accounts or temporarily leasing third-party services.

Eradicate. Typically, eradication refers to the removal of any malware used in an attack, and patching any vulnerabilities (across the network) that enabled the attack or could result in a repeat of the same type of attack. It also can mean kicking out hackers who have obtained or created account credentials, as might be accomplished by deleting fake user names, resetting passwords and requiring two-factor authentication. Lastly, it is not uncommon to find additional vulnerabilities during incident response, and these need to be categorized and addressed according to existing vulnerability scanning protocols.

Document. When faced with an incident, it is immediately important to ensure network logging capabilities are enabled and logs are preserved. Organizations also should consider imaging affected computers for later analysis, which will assist in forensic analysis and be of potential value for law enforcement efforts. Finally, incident handlers should attempt to identify and document what computers were unlawfully accessed, the origins of the attack, whether and what malware was used, what connections were made with the system, and whether data was taken, altered or destroyed.

Although real world scenarios almost always deviate somewhat from plan, let’s close with the words of Vince Lombardi: “It’s not whether you get knocked down. It’s whether you get up.” By following the four steps of Mitigation, your company will be better prepared to take a hit, brush itself off, and get back to business.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.