A New Incident Response (IR) Life Cycle: An Overview of NIST SP 800-61r3
Introduction
The National Institute for Standards and Technology (NIST) is a government agency that develops standards for use across science and technology industries, and especially in support of federal government compliance initiatives such as the Federal Information Security Modernization Act (FISMA). These standards are freely available to the public, and include publications commonly used by defenders of all sectors, recognized as the de facto authority for standards and guidance.
One of its most notable and widely used offerings is the 800 series of its Special Publications (SP), which focuses on information and cyber security. Included in the series, is guidance on Incident Response (IR), a very important topic for all defenders: SP 800-61 - Incident Response Recommendations and Considerations for Cybersecurity Risk Management. In this article I will give a brief overview of the document.
SP 800-61r3 Overview
The latest version is SP 800-61 revision 3. It was developed to fit into NISTs larger Cybersecurity Framework (CSF) v. 2.0, and has been redesigned from past versions that focused on the IR life cycle and incident handling as a mostly separate activity. It now emphasizes the interconnection between incident response and an organization’s overall cybersecurity ad risk management strategies. NIST recommends that it should be used in conjunction with NIST’s CSF 2.0 and its supplements, resources provided on NIST’s IR Project site, and NIST’s Cybersecurity and Privacy Reference Tool (CPRT).¹
In the previous version, IR was essentially a systematic, recursive approach to handling singular incidents, as can be assumed by its title “Computer Security Incident Handling Guide,” and shown by the following diagram:
Fig. 1. Previous incident response life cycle model¹
Seasoned defenders may be familiar with the above diagram depicting the IR life cycle. I have seen it referenced in internal IR policy documents since my career began, and while studying for certifications.
It focuses on incidents essentially as one-time occurrences, from which lessons can be learned to help revise the process for future incidents, as illustrated by the large arrow. It was, in general, a step-wise approach (called “phases”) in the context of a single incident, and the purview of a select group of incident handlers.¹
It was developed in a time when fully declared incidents were less common and less destructive, as opposed to today where sophisticated attacks are constant and successful, requiring the coordination of response across the entire organization. The latest version was therefore developed to incorporate IR as part of the cyber risk management framework and activities.¹
SP 800-61r3 has redesigned the IR life cycle to align with the six CSF 2.0 Core Functions, with focus on continuous improvement and integration with the broader framework.
Here is the new diagram:
Fig. 2. Incident response life cycle model based on CSF 2.0 Functions¹
There are some key differences in the new model.
For one, the new version focuses on the importance of improvement, not just within IR activities, but within the entire framework. As shown by Fig. 2. All framework activities feed into improving IR activities and all IR activities feed into improving framework activities.¹
Secondly, it emphasizes that IR should be a company-wide effort, with different internal business units and external partners being included in the IR process. Where traditional IR was handled by a select group of responders, typically drawn from the IT dept. or dedicated security staff, the new model focuses on the importance of collaboration across the entire organization.¹
Finally, perhaps the largest modification, is the integration of IR within the CSF 2.0. Section three of SP 800-61 provides the details of where IR fits as Community Profile. Community Profiles were introduced in CSF 2.0 “to reflect the use of the CSF for developing use case-specific cybersecurity risk management guidance for multiple organizations”¹ The CSF and Community Profiles are outside the scope of this article, but look for future entries on the subject.
Conclusion
Incident Response is an important topic for all defenders. NIST’s latest revision of their IR guidance reflects the dynamic nature of cybersecurity and introduces a more adaptable approach that puts IR properly in place as integral to an effective overall risk management strategy.
Daily Cuppa
Today’s cup of tea is Organic Earl Grey provided by Equal Exchange. Organic, fair-trade and full of refreshing flavor and aroma. Today with a splash of oat milk and a dab of honey.
References
¹ NIST SP 800-61r3: Incident Response Recommendations and Considerations for Cybersecurity Risk Management
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf
²NIST Cybersecurity Framework 2.0: A Guide to Creating Community Profiles
https://csrc.nist.gov/pubs/cswp/32/nist-csf-20-a-guide-to-creating-community-profiles/ipd