NIST CSF Overview: Respond

In order to foster trust in our work Pythia Cyber uses the Cybersecurity Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing Cybersecurity Programs. We are guided by the NIST CSF if those programs are the modest first steps of new or small organizations, or if those programs are formal, rigorous programs for mature, mid-sized organizations, or anywhere in between.

The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. There will be one blog post for each "pillar" as NIST calls them. This blog post is about Respond.

Respond is the step you take after Detect tells you that there is an issue and that issue might signal an incident. Respond is the step we all know is important and time-critical. If the issue that was detected is an incident then every second counts. Somewhat dramatically, some Cyber Defenders refer to this step as "stop the bleeding."

This urgency is why the Respond step is special: it has its own Incident Response Plan and it produces an Incident Response Report. You really do not want to be winging your response; you do not want to try to come up with the best course of action on-the-fly. You need a plan, and more than that, a plan that has been made into a procedure.

In an organization with a cybersecurity program, you have a formal Response Plan. In an organization with a good cybersecurity program, you have a plan that already has the buy-in of whomever needs to act, and a plan whose procedure everyone already knows and is ready to follow. Your CISO (or equivalent) has used their wide influence (despite their narrow authority) to prepare people to act and to inspire commitment to fixing the problem rather than mere compliance with the procedure.

Ideally, once Detect has done their job, the Respond step is a well-oiled machine. There will be time for reflection and analysis later: Respond is all about muscle memory. Get it done. Blame isn't a focus. Covering your butt isn't a focus. Doing what you know you have to do is the focus.

Once the dust settles a bit, you follow the procedure to produce the Incident Report. This should be a useful, working document, not an exercise in assigning or avoid blame. The Incident Report should help inform the next step and should guide the next iteration of the plan. The goal is to get better at cybersecurity, because you can be sure that no incident is that final incident. There is always a new threat or vulnerability to faced tomorrow.

This is post describes pillar 4 of 5. Here links to the other posts: [1 2 3 4 5]