NIST Incident Response Lifecycle
The National Institute of Standards and Technology (NIST) defines a four-phase incident response lifecycle: (1) Preparation — establishing policies, plans, teams, and tools; (2) Detection and Analysis — identifying incidents through monitoring, alerts, and investigation; (3) Containment, Eradication, and Recovery — stopping the spread, removing the threat, and restoring systems; (4) Post-Incident Activity — conducting lessons learned, updating documentation, and improving processes. The lifecycle is iterative, with each incident informing improvements to preparation.
Example: After detecting ransomware on a server (Phase 2), the IR team isolates the infected system from the network (containment), removes the malware and restores from clean backups (eradication and recovery), then conducts a lessons-learned meeting to improve email filtering rules (post-incident activity).
Digital Forensics
Digital forensics is the application of scientific investigation techniques to digital evidence. It involves the identification, preservation, collection, examination, analysis, and reporting of digital artifacts from computers, networks, mobile devices, and cloud environments. Forensic procedures must maintain the chain of custody and evidence integrity to ensure findings are admissible in legal proceedings. Key principles include working from forensic images (never the original), documenting every action, and using validated tools.
Example: After a data breach, a forensic examiner creates a bit-for-bit image of the compromised server's hard drive using a write blocker, analyzes file system timestamps to determine when malicious files were created, examines browser history and logs to trace the attacker's actions, and produces a forensic report documenting the timeline and evidence.
Chain of Custody
Chain of custody is the documented, chronological record of who handled, accessed, or transferred a piece of evidence from the time of collection to its presentation in court or to decision-makers. Each transfer of evidence must be logged with the date, time, handler, purpose, and condition of the evidence. A broken chain of custody can render evidence inadmissible in legal proceedings because the integrity of the evidence cannot be guaranteed.
Example: A forensic analyst documents: 'At 14:32 on March 1, I received hard drive serial #XY123 from Officer Smith, sealed in tamper-evident bag #456. At 14:45, I verified the seal was intact, opened the bag, connected the drive via write blocker, and created forensic image hash SHA-256: abc123...'
Threat Intelligence
Threat intelligence is evidence-based information about current and emerging cyber threats, including attacker motivations, capabilities, tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs). It is categorized into strategic (high-level trends for executives), tactical (TTPs for security teams), operational (details about specific campaigns), and technical (IOCs like malicious IP addresses, file hashes, and domain names). Frameworks like MITRE ATT&CK organize adversary techniques into a structured taxonomy.
Example: A threat intelligence feed alerts an organization that APT group 'FancyBear' is actively targeting healthcare companies using spearphishing emails with malicious Excel attachments. The SOC uses this intelligence to update email filtering rules, add known malicious file hashes to their EDR blocklists, and brief staff on the specific phishing tactics being used.
Recovery Time Objective (RTO)
RTO is the maximum acceptable duration of time that a system, application, or business process can be down after an incident before the impact becomes unacceptable. It defines how quickly IT must restore operations after a disruption. RTO directly influences disaster recovery architecture decisions: a 4-hour RTO requires hot or warm standby systems, while a 72-hour RTO might be achievable with cold backups. The cost of achieving shorter RTOs increases significantly.
Example: An e-commerce platform sets an RTO of 2 hours for its order processing system because each hour of downtime costs $50,000 in lost revenue. This RTO drives the decision to maintain a hot standby database in a separate availability zone with automated failover.
Recovery Point Objective (RPO)
RPO is the maximum acceptable amount of data loss measured in time. It defines how far back in time data recovery must reach — essentially, how much data the organization can afford to lose. An RPO of 1 hour means backups must occur at least every hour, so at most 1 hour of data could be lost. An RPO of zero requires synchronous replication, where every write is immediately replicated to a secondary location.
Example: A banking system with an RPO of zero uses synchronous database replication to ensure that every transaction is written to both the primary and secondary database simultaneously. Even if the primary fails, no transactions are lost.
Business Continuity Planning (BCP)
BCP is the comprehensive process of creating plans and procedures that ensure critical business functions can continue during and after a major disruption. Unlike disaster recovery, which focuses on IT infrastructure, BCP encompasses people (alternate staffing, communication plans), processes (manual workarounds, alternate procedures), facilities (backup locations, remote work capabilities), and technology. BCP includes business impact analysis (BIA), which identifies critical functions and their dependencies.
Example: A hospital's BCP includes: a generator for power outages, paper-based charting procedures if the electronic health record system fails, agreements with nearby facilities for patient overflow, a communication tree for notifying staff, and quarterly drills to test the plan.
Security Operations Center (SOC)
A SOC is a centralized facility and organizational function responsible for continuous monitoring, detection, analysis, and response to cybersecurity incidents. SOC analysts work in tiers: Tier 1 monitors alerts and performs initial triage, Tier 2 conducts deeper investigation and analysis, and Tier 3 performs advanced threat hunting and incident response. SOCs use SIEM systems, endpoint detection and response (EDR) tools, threat intelligence feeds, and documented playbooks to coordinate their work.
Example: A Tier 1 SOC analyst sees an alert from the SIEM indicating multiple failed login attempts followed by a successful login from an unusual geographic location. They escalate to Tier 2, who investigates the account's activity, discovers data exfiltration, and initiates the incident response playbook.
