Incident response frameworks have been created to act as standards and step-by-step instructions on how the incident response process should go. While there are many frameworks to choose from, the two most prevalent come from the National Institute of Standards and Technology (NIST) and the SysAdmin, Audit, Network, and Security (SANS) Institute.
The NIST and SANS frameworks actually share all of the same components; however, they differ slightly in organization and verbiage.
The NIST framework consists of four steps:
- Preparation
- Detection and Analysis
- Containment, Eradication and Recovery
- Post-Incident Activity
The SANS framework consists of six steps:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
The major departure between NIST and SANS is that SANS considers the processes of containment, eradication and recovery as independent steps. The following is a breakdown of the NIST framework while highlighting how it may differ from that of the SANS.
Step 1: Preparation
The preparation step is similar for both NIST and SANS.
In the preparation step, security policies, procedures and team member roles are defined. Assets such as servers, networks and critical endpoints are subjected to risk assessments. These assets and their traffic patterns are then monitored to create controls for later comparison.
Communication plans are created including a guide on who to call based on the type of incident.
Team members also need to identify which types of incidents will warrant action and create a response plan for each type of incident.
Step 2: Detection and Analysis
This step is similar for NIST and SANS; however, SANS uses slightly different verbiage.
In this step, an incident has been identified and is analyzed to determine whether it is threatening or not. Information such as log files, error messages and firewalls are gathered to help in researching the entry point and breadth of the incident.
Step 3: Containment, Eradication and Recovery
The SANS framework separates this step into three separate steps; however, the essence remains the same: dealing with the incident and bringing systems back to normal.
In containment, infected applications and systems are isolated to prevent damage from spreading, and the threat’s entry point is patched up. Eradication seeks to remove all elements of the incident, which may involve taking systems off-line. In recovery, affected systems are tested and validated before being brought back online. The environments are then monitored in case the attacker returns.
Step 4: Post-Incident Activity
Both NIST and SANS agree that the last step should be treated as a learning experience in order to create stronger security protocols and prevent similar incidents from happening in the future.