The NIST Incident Response Plan

What happens if you implement a cybersecurity framework and still have an incident or a breach? Unfortunately in cybersecurity, you can never be 100% secure. You will always be at some risk of an incident. Even the most sophisticated cybersecurity systems in the world carry a degree of risk. However, an incident doesn’t have to be devastating.

With proper root cause analysis, eradication, and a prior risk assessment, you can craft an effective incident response plan. This will prevent further damage after an incident and help speed up your responder’s remediation efforts after a security breach.

This is why it is crucial to create and maintain a comprehensive cybersecurity incident response plan. Keep reading to find out what an incident response plan is, how to respond to security events, and how to protect your business network today.

What can a cybersecurity breach impact?

  • Data Loss
  • Reputation Loss
  • Costly Downtime
  • Compliance Failure

What is an incident response plan?

An incident response plan is a set of detailed instructions or templates created to assist your IT staff or incident response team in detecting, responding to, and recovering from unplanned network security incidents. An effective response plan should be customized for your specific industry and include any regulatory or compliance requirements you must adhere to in the case of a cybersecurity incident.

All team members, stakeholders, and your computer security incident response team should be on the same page when it comes to incident response planning. Your business’s incident response plan should include relevant information on the following topics:

Data Loss – Where are my backups stored? In what format? How often do I update my backups? Is this automated or manually performed? How can I access them after an incident? Do I need to notify clients in the event of data loss?

Service Outages – How long can my business survive after a service outage? Who should I contact first after an outage? How quickly can we restore normal operations? How will I notify customers during an outage? Will this impact any critical systems functionality? Do my team members understand our disaster recovery plan?

Cybercrime – In the event of a cyberattack, who do I call first? How quickly can I isolate the infected device/server? Do I have any regulatory or compliance requirements like NIST, HIPAA, or GDPR to follow in the event of a breach? How will I train my employees to respond to potential phishing attacks or ransomware incidents after hours? Will my cyber insurance cover a breach? What malware protection do I have in place? How will this impact future incidents? Besides my firewall, what protection do I have in place?

Why do you need an incident response plan?

No network is 100% safe from a cybersecurity breach. Unfortunately, 56% of Americans don’t know what steps to take in the event of a data breach. According to Verizon’s 2019 Data Breach Investigations Report, 32% of breaches involved phishing.

Your IT team could work around the clock to implement and maintain a comprehensive cybersecurity program and still suffer a breach. If the rest of your employees click on suspicious links and reply to phishing emails, this puts your entire business at risk. This is why your business needs a comprehensive cybersecurity incident response plan. After a cyberattack, seconds and minutes matter; delaying your response to an incident or outage can cost your business time, money, and valuable data.

An effective response plan will help ensure you and your employees know exactly what to do when an incident occurs and how to mitigate that risk. You should also consider how the incident response process will impact your business continuity efforts.

What is an incident recovery team?

An incident recovery team is tasked with implementing your business’s incident response plan. These are usually members of your IT staff who collect information, preserve data, and examine post-incident-related metrics. If your IT staff or MSP (managed service provider) is not well-versed in compliance, they may need to consult with lawyers who can ensure any legal obligations your business has in the event of a breach following a security incident.

Your incident response team members should have a clear understanding of their roles and responsibilities when dealing with a breach. The information security team should have the contact information for any relevant parties involved in an emergency, including law enforcement.

The NIST framework offers a 4-step incident response process:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Recovery
  • Post-Incident Activity

What is NIST?

The NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity, also more commonly known as the NIST Cybersecurity Framework (CSF), is the most widely used Cybersecurity Framework in the United States. NIST stands for the National Institute of Standards and Technology, which operates under the Department of Commerce. NIST manages, measures, and establishes scientific and technological standards for the U.S. private sector in science, manufacturing, and technology.

NIST Incident Response Plan


Preparation includes all the organization’s things to be ready for incident response, such as putting in place the necessary tools and resources and training the entire team. This phase is aimed at preventing cyber events from occurring through regular assessments and vulnerability scans. When you have a complete picture of your network security, you can better protect it. Your preparation phase should include regular risk assessments, network security assessments, malware prevention, anti-virus scanning, and security awareness training.

Detection and Investigation

The most challenging element of incident response for many companies is accurately recognizing and evaluating events. Incidents can be found by vulnerability scanning, anti-virus scanners, deviation in network traffic flows, IDPSs, other log analyzers, or third-party monitoring software. Your staff may also report issues logging into specific systems or unusual activity.

The following are common attack vectors:

  • USB Drives
  • Brute Force Attacks
  • Web Attacks
  • Email Malware
  • Phishing or Vishing
  • Unauthorized Usage
  • Loss or Theft

Containment, eradication, and recovery

This phase focuses on minimizing the effect of the event and reducing service interruptions. After detection, you should notify all members of your incident response team, including the CIO, external response teams, system owners, human resources team, legal department, and law enforcement if applicable.

Post-Event Activity

One of the essential aspects of incident response, and one of the most commonly overlooked, is learning and improving after an occurrence. The event and incident response activities are evaluated in this phase. The objectives are to reduce the likelihood of a repeat occurrence and find methods to improve future incident response activities.

Incident Response Planning:

First, critical data and affected systems on your networks should be segmented. Too often, companies store all of their data in one place, meaning that if a cyberattack occurs, they may be in a position to lose everything. By segmenting your data, you ensure that losses will be far less severe than they otherwise would if a breach does occur.

Have an IRP: Incident Response Plan

An Incident Response Plan is critical to ensuring that your organization can respond quickly and effectively to a security incident. An IRP should designate an individual responsible if an incident does occur, along with an incident response team to aid that person. It should include how to report a suspected incident, who to call, and what measures should be taken immediately to reduce the impact of the data breach. After an incident, you should discuss lessons learned.

Perform Threat Hunting

Threat Hunting involves proactively hunting for vulnerabilities before the incident occurs. This can help familiarize your team with the network and data storage locations and get them to experience searching for potential compromise. You can use threat intelligence software while performing threat hunting or use a SIEM or security operations center.

You can also empower and secure your business using open-source security tools like intrusion detection systems, and open-source threat intelligence feeds. You should also consider how your IR plan will impact your security policy in the short and long term. In addition, ensure that you have active network monitoring services.

Train Your Employees

Your employees need to know what to do right away if an incident occurs. In many cases, untrained employees may ignore a security incident, or worse yet, try to hide it out of fear of repercussions. This can cost your company valuable time in which you could be responding to a breach. Security Awareness Training is one of the most cost-efficient ways to reduce the risk of breaches and incidents.

Studies show security-related risks are reduced by 70% when businesses invest in cybersecurity awareness training. Humans and technology need to work together to detect and respond to cyber threats. Management of urgent IT security problems like social engineering, spear-phishing, and ransomware attacks is an absolute must if companies expect to stay safe.

You can read the full NIST incident response plan here.

Contact Touchstone Security today to learn more about building an effective cybersecurity incident response plan.

Request a Free Consultation with a Qualified CISO