NAS2002 Respond Tasks List

#Winter24/NAS2002/respond

based on NIST Cybersecurity Framework 2.0

Incident Management
1. implement an incident response plan when an event is detected
2. conduct initial assessment and triage of detected incidents to determine impact
and severity
3. escalate incident according to procedures defined in the IRP
4. determine whether to initiate recovery procedures based on incident's nature and
scope

tools - IR platforms - TheHive, ServiceNow Security Operations, triage tools -

SIEM, Splunk, IBM QRadar, automated workflows in IR platforms, predefined
checklists

Incident Analysis
1. analyse incidents to identify root cause and method of attack
2. document actions taken during incident investigation and ensure the integrity of
these records
3. gather data and metadata related to the incident for analysis and evidence
4. assess and validate the magnitude of the incident in terms of affected assets and
overall impact

tools - forensic tools - Autopsy, wireshark, logging solutions, impact

assessment tools, impact analysis software

Incident Reporting
1. inform internal and external stakeholders as per notification protocols
2. disseminate detailed information to relevant parties

tools - secure communication tools, incident sharing platforms - MISP

Incident Mitigation
1. implement measures to contains and limit the spread of the incident
2. remove the threat from the environment and restore affected systems
 tools - network segmentation tools, endpoint protection platforms,
malware removal tools, system restoration software

Additional Tasks
1. continuously update IRP based on lessons learned and evolving threats
2. review and analyse handling of incidents to improve future response efforts

tools - policy management software, after-action review templates, lessons

learned databases