NIST CRIED: The Four Steps of Incident Mitigation

March 1, 2017

Mike Tyson notably said, “Everyone has a plan ‘till they get punched in the mouth.” So, how do you ensure the same doesn’t hold true for your company’s incident response plan when a real breach occurs? Enter the NIST Framework category titled Mitigation.

Faced with an actual intrusion, companies would do well to focus on executing four immediate incident response steps. Taken together, their initials form the acronym CRIED:

Contain. Even if your company quickly detects a problem, it doesn’t take much time for hackers with escalated privileges (or self-propagating worms acting independently) to make things a lot worse. At its core, containment efforts look to stop further harm. While your organization searches for malware, unauthorized users and suspicious network activities, it may need to block certain accounts, websites and services, up to and including restricting network connectivity for certain groups of users, suspending Internet access, changing passwords, closing ports and mail servers, or physically isolating some computers by disconnecting them from the network.

Reduce Impact. Unfortunately, a number of containment actions won’t only frustrate the hacker, they’ll also interfere with employee productivity and the delivery of your company’s products and services. Information security professionals should discuss these possibilities in advance with business managers and IT personnel so they can ensure continuity of operations during incident remediation. This stage may include graceful degradation of certain systems, having other systems operate only locally or in manual mode, provisioning new standalone equipment, creating alternate email accounts or temporarily leasing third-party services.

Eradicate. Typically, eradication refers to the removal of any malware used in an attack, and patching any vulnerabilities (across the network) that enabled the attack or could result in a repeat of the same type of attack. It also can mean kicking out hackers who have obtained or created account credentials, as might be accomplished by deleting fake user names, resetting passwords and requiring two-factor authentication. Lastly, it is not uncommon to find additional vulnerabilities during incident response, and these need to be categorized and addressed according to existing vulnerability scanning protocols.

Document. When faced with an incident, it is immediately important to ensure network logging capabilities are enabled and logs are preserved. Organizations also should consider imaging affected computers for later analysis, which will assist in forensic analysis and be of potential value for law enforcement efforts. Finally, incident handlers should attempt to identify and document what computers were unlawfully accessed, the origins of the attack, whether and what malware was used, what connections were made with the system, and whether data was taken, altered or destroyed.

Although real world scenarios almost always deviate somewhat from plan, let’s close with the words of Vince Lombardi: “It’s not whether you get knocked down. It’s whether you get up.” By following the four steps of Mitigation, your company will be better prepared to take a hit, brush itself off, and get back to business.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 November

This month, Security magazine brings you the Security 500 Report, Rankings and Thought Leader Profiles. How does your enterprise compare to others? Which security programs are leading the way? Also this month, we highlight how to plan, prepare for and build resilience to protests and other unplanned events, video surveillance tools for SMBs and more.

View More Create Account

NIST CRIED: The Four Steps of Incident Mitigation

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

Managing Supply Chain Risk

Security Magazine

2020 November

NIST CRIED: The Four Steps of Incident Mitigation

Recent Articles by Steven Chabinsky

Related Articles

Related Products

Report Abusive Comment