Thursday 27th May 2021

NIST Respond, Recover – video explainer

The NIST Cyber Security Framework (CSF) has 5 primary functions; Identify, Protect, Detect, Respond and Recover.

Many organisations rely upon log checking and post event review instead of elements detailed in the detect function. Even without such a vital ‘cog’ it is still possible to develop and maintain your respond and recover functions.

Response planning involves having strong linkage with the output of the detect function. There will be a process and roles and responsibilities. Escalation paths and a playbook should be crafted ahead of time and rehearsed.

Involving the persons responsible during these table-top exercises is essential. Beware of deputisation and apathy during the drills as they can cause chaos during a live event.

  • Communicationsare critical and require executive involvement. A full communications strategy should be developed and socialised within your organisation.
  • Analysisor investigation is a workstream that carefully must uncover the facts as soon as possible without necessarily destroying evidence. The nature and scope of a potential breach needs to be identified and this will allow organisational leadership to predict the impact.
  • Containment is a workstream closely aligned with the analysis workstream. Once again, containment should not interfere with the analysis.

Testing of your organisation’s response plan it essential. There should also be several defined scenarios which your preparation has identified as the most likely to occur (Ransomware, DDoS, Data leak etc.)  

The testing is typically conducted as a ‘tabletop exercise’ where a scenario is developed and walked through methodically. The enactment of a breach involves the operational team leads and can include the executives should it becomes an incident.

Roles and responsibilities should have been established and agreed as part of the preparation of the tabletop exercises.

Your scenarios should evolve from inception to escalation and on to resolution.

According to NIST CSF the recover function involves the need to “develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.”

The recover function should support a timely recovery and service restoration of your systems and services. Failure to do so could increase the impact to your organisation and further compound any reputational damage.

Recover includes the following categories:

  • Recovery Planning: Recovery procedures are tested, executed, and maintained so that your program can mitigate the effects of an event sooner rather than later
  • Improvement: Recovery planning and processes are improved when events happen and areas for improvement are identified and solutions put together
  • Communication: Coordinate internally and externally for greater organization, thorough planning and execution

The recover function is vital to coordinate your organisation but also to give your customers and stakeholders a level of reassurance.

Precise and swift recovery handling combined with tactful, considered communications can allow you to exit the breach in a much stronger position internally and externally than you would otherwise.

To learn more and speak to our expert team, please complete the below and we’ll be in touch:

  • I have worked with IP-Performance for over 20 years and have always found them to be knowledgeable, helpful, prepared to go above and beyond and always right on the edge of modern technology and trends. So, when they suggested we might want to let them do an internal security audit, we jumped at the chance and the results were nothing short of jaw dropping… I would recommend anyone take a look at their portfolio, even if you think you have all your security bases covered… Trust me, you haven’t. I would recommend the portfolio, and anything that IP-P do to anyone across the industry. The breadth of what they cover is astounding.

    David Brazewell, Technical Director,
    QubeGB Ltd.