freshidea - Fotolia

Manage Learn to apply best practices and optimize your operations.

Basing incident response management on NIST SP 800-61

Incident response management can trip up both government agencies and enterprises alike. Expert Joseph Granneman looks at incident response techniques based on NIST SP 800-61.

Enterprises are struggling to respond to the increasing number of cyberattacks --and they aren't alone. According...

to a report released by the Government Accountability Office (GAO) in April 2014, so are agencies of the U. S. federal government. This report reviewed agency information security incident responses from 24 agencies, including the Department of Homeland Security, the Department of Energy, the Department of Housing and Urban Development, NASA and the Department of Veterans Affairs, and found several areas for improvement. Organizations outside of the U.S. federal government will probably find the issues identified in the report very familiar, and that the recommendations in the report apply to them.

The Computer Security Incident Handling Guide

The GAO used NIST SP 800-61 "Computer Security Incident Handling Guide" as a template to measure the effectiveness of a statistically relevant subset of incidents at each agency. This set of guidelines from the NIST (National Institute of Standards and Technology) defines several steps on how to effectively respond to an incident. These steps are grouped in three stages: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. The GAO report found there were some areas where agencies did well, but there were many inconsistencies. This is also true at non-government organizations.

Detection and analysis

Despite the importance of documentation, the GAO report found that once service had been restored, agencies did not document their actions in 65% of the incidents.

NIST defines that once an incident is detected, an organization should conduct an analysis of the impact of the incident. According to the report, this was one area where federal agencies need improvement. Agencies were focused on addressing the problem at hand instead of analyzing what other systems could be affected. This is typical in all organizations where the frontline technicians are under pressure to prioritize service restoration over incident analysis. Many of these technicians do not have the expertise to analyze the attack and are not given the time to escalate the issue. Organizations need to prioritize analysis in order to prevent deeper penetrations into the networks.

Containment, eradication and recovery

Given the focus federal agencies place on service recovery, it should be no surprise they all demonstrated they could contain and eradicate most incidents. However, since there was no analysis conducted upon initial detection, remediation failed to contain or limit damage in 25% of the incidents. The recovery steps taken to restore systems put those agencies back into the same vulnerable state in which they were originally compromised. Organizations need to utilize information gained through analysis to remediate vulnerabilities before restoring systems to operation.

Post-incident activity

Post-incident activity is critical to proper incident response management. This is when the incident is documented and procedures are reviewed for effectiveness and changed accordingly. Despite the importance of documentation, the GAO report found that once service had been restored, agencies did not document their actions in 65% of the incidents. In addition, the agencies that did document their actions did not include key information, and as a result, the impact of the incident was frequently left undetermined. Policies or procedures were often updated post-incident, but the costs of the incidents were not captured. Organizations need to standardize documentation standards and post-incident analysis to prevent reoccurrences.


The GAO report contains lessons to be learned by all organizations struggling with the increasing number and complexity of cyberattacks. Organizations tend to be only focused on service restoration, but must take the time to go through the guidelines recommended in NIST SP 800-61. Once an incident has been detected, it is critical to conduct an impact analysis in order to limit the damage. Recovery steps should include remediation so systems are not simply restored to a previously vulnerable state. Finally, standardized documentation that includes the cost of the incident and remediation steps can be used to improve incident response management in the future.

About the author:
Joseph Granneman is SearchSecurity's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in healthcare information technology. He is an active independent author and presenter in the healthcare information technology and information security fields. He is frequently consulted by the media and interviewed about various healthcare information technology and security topics. He has focused on compliance and information security in cloud environments for the past decade, with many different implementations in the medical and financial services industries.

Next Steps

Bruce Schneier discusses how incident response management is breaking new ground

This was last published in November 2014

Dig Deeper on Information security policies, procedures and guidelines