Many incident taxonomies and classification schemes provide excellent guidance within the scope of a single enterprise’s security operations center (SOC). However, such systems do not address incident prioritization or risk assessment from a nationwide perspective, which may involve large numbers of diverse enterprises. Large-scale, national cybersecurity operations centers like the Cybersecurity and Infrastructure Security Agency (CISA) need to assess risk while accommodating a diverse set of private critical infrastructure asset owners and operators and U.S. Government departments and agencies. The National Cyber Incident Scoring System (NCISS) is designed to provide a repeatable and consistent mechanism for estimating the risk of an incident in this context.
NCISS is based on the National Institute of Standards and Technology (NIST) Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide, and tailored to include entity-specific potential impact categories that allow CISA personnel to evaluate risk severity and incident priority from a nationwide perspective. NCISS permits a similar incident experienced by two different stakeholders to have significantly different scores based on the national-level potential impact of each affected entity. The system is not intended to be an absolute scoring of the risk associated with an incident.
NCISS uses a weighted arithmetic mean to produce a score from zero to 100. This score drives CISA incident triage and escalation processes and assists in determining the prioritization of limited incident response resources and the necessary level of support for each incident. The system is not currently designed to support cases where multiple correlated incidents may increase overall risk, such as multiple simultaneous compromises of organizations in a specific sector or region. However, such events can still be readily escalated with expert human intervention.
The inputs to the scoring system are a mixture of discrete and analytical assessments. While every attempt is made to minimize individual biases via training and exercise, different individual scorers will inevitably have slightly different perspectives on their responses to some of the scoring questions. The use of several discrete, verifiable inputs lessens the impact from any individual analytical factor, increasing the overall reliability of the system.
The NCISS uses the following weighted arithmetic mean to arrive at a score between zero and 100:
After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with CISA and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives CISA urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below.
◙ Emergency (Black)
An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons.
◙ Severe (Red)
A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties.
◙ High (Orange)
A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
◙ Medium (Yellow)
A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
◙ Low (Green)
A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
◙ Baseline
A baseline priority incident is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The bulk of incidents will likely fall into the baseline priority level with many of them being routine data losses or incidents that may be immediately resolved. However, some incidents may require closer scrutiny as they may have the potential to escalate after additional research is completed. In order to differentiate between these two types of baseline incidents,and seamlessly integrate with the CISS, the NCISS separates baseline incidents into Baseline–Minor (Blue) and Baseline–Negligible (White).
◙ Baseline – Minor (Blue)
A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny.
◙ Baseline – Negligible (White)
A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
Multiple Connected Incidents
Currently, when a series of connected incidents, or campaign, is evaluated, the overall campaign is given the same priority level as the high water mark of any associated component incident. This does not account for a campaign that may have a more significant total impact than any individual component incident. To take into account incident aggregation when evaluating a campaign, the following rule is applied: If three or more component incidents have the same high water mark, the overall campaign's priority level is raised to the next level.
For example if a campaign has three “Low (Green)” and two “Baseline – Minor (Blue)” component incidents the overall campaign would be set to a “Medium (Yellow)” priority level.
Functional Impact
Functional impact is a measure of the actual, ongoing impact to the organization. In many cases (e.g., scans and probes or a successfully defended attack), little or no impact may be experienced due to the incident.
Observed Activity
Observed activity describes what is known about threat actor activity on the network. These options are normalized upon guidance issued by the Office of the Director of National Intelligence (ODNI) and used by the intelligence community. Although the ODNI guidance document goes into more detail, observed activity is sorted into the following general categories: Prepare, Engage, Presence, and Effect.
Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities.
Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores.
Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores.
Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores.
Location of Observed Activity
The location of observed activity describes where the observed activity was detected in the network. The options for observed activity are based on a modified version of the Purdue Enterprise Reference Architecture. A flexible set of definitions was chosen for this category because each affected entity will likely have a different perspective on what systems are critical to its enterprise. The location of observed activity is likely to change during the course of an incident and should be updated as new information becomes available.
Level 0 – Unsuccessful
Existing network defenses repelled all observed activity.
Level 1 – Business Demilitarized Zone
Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet. Examples are a company’s Web server or email server.
Level 2 – Business Network
Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems.
Level 3 – Business Network Management
Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores.
Level 4 – Critical System DMZ
Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems.
Level 5 – Critical System Management
Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems.
Level 6 – Critical Systems
Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments.
Level 7 – Safety Systems
Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system.
Unknown
Activity was observed, but the network segment could not be identified.
Actor Characterization
One of the greatest challenges in incident response is attributing an incident to a particular actor set and understanding the skill levels and intentions of that actor. CISA may leverage its own analytic body of knowledge as well as that of other mission partners to determine an actor’s capabilities with regard to specific target systems such as industrial control environments.
Information Impact
In addition to functional impact, incidents may also affect the confidentiality and integrity of the information stored or processed by various systems. The information impact category is used to describe the type of information lost, compromised, or corrupted.
Recoverability
Recoverability represents the scope of resources needed to recover from the incident. In many cases, an entity’s internal computer network defense staff will be able to handle an incident without external support, resulting in a recoverability classification of Regular. An example of a Regular recovery would be a phishing email that was automatically blocked by a mail server. In Extended recoverability cases, significant efforts such as a multi-agency, multi-organizational response task force may be needed for recovery. For example, if an entity requests support from CISA, the incident is by its nature an Extended recovery. Lastly, it may not be feasible to recover from some types of incidents, such as significant confidentiality or privacy compromises.
Regular
Time to recovery is predictable with existing resources.
Supplemented
Time to recover is predictable with additional resources.
Extended
Time to recovery is unpredictable; additional resources and outside assistance may be required.
Not Recoverable
Recovery from the incident is not possible (e.g., sensitive data was exfiltrated and posted publicly, investigation launched).
Cross-Sector Dependency
Cross-sector dependency is a weighting factor that is determined based on cross-sector analyses conducted by CISA.
Potential Impact
The potential impact category estimates the overall national impact resulting from a total loss of service from the affected entity. Other existing standards for rating cybersecurity incident risk lack consideration for the unique and diverse critical infrastructure assets of the owners and operators and U.S. Government departments and agencies that CISA is tasked with helping to protect. A similar incident at two separate stakeholder facilities might have a significantly different impact to operations at a national level. Therefore, each incident will be scored differently relative to the risk it presents in a nationwide context.
The potential impact value is calculated in advance wherever possible, based on known statistics about the entity in question. Some example statistics that may be used include:
- number of authorized users in the organization,
- reported annual revenue or total annual budget, and
- size of customer base or population served.
Several factors are considered in calculating the potential impact value for individual entities. Certain factors applicable for utility companies, healthcare firms, or financial services institutions are not applicable for Federal Government agencies, so the weighted factors for each type of entity will differ. In developing NCISS, many possible factors were considered for inclusion in potential impact calculations. This particular facet of the scoring system is the subject of continued research and evaluation.
Lastly, due to the inherent difficulties in accounting for all the various circ*mstances involved in determining the true potential impact, this value in particular should be treated as a best guess estimate for incident response prioritization purposes, and not as a comprehensive illustration of an entity’s importance to the national welfare.
NCISS is designed to provide a repeatable and consistent mechanism for objectively evaluating the risk of a cybersecurity incident in the national context. Having this system in place has already allowed CISA to provide objective assessments of national-level risk for routine and high risk cybersecurity events via a repeatable process, facilitating better prioritization and more timely responses to the needs of CISA’s constituents and mission partners.
An example reference implementation of the system is available to help raise awareness of how NCISS works. The NCISS Incident Scoring Demo is not for operational purposes, and does not reflect the CISA’s specific configuration used in scoring actual incidents.
FAQs
NIST Incident Response Steps
- Step #1: Preparation.
- Step #2: Detection and Analysis.
- Step #3: Containment, Eradication and Recovery.
- Step #4: Post-Incident Activity.
Many organisations use NIST's Computer Security Incident Handling Guide as the basis of their incident response plan. It contains six phases: preparation, identification, containment, eradication, recovery and lessons learned.
What are the top 3 challenges with incident response? ›
Understanding these problems can provide insights into better management of incidents before they become major security concerns.
- (1) No list or database of critical assets. ...
- (2) No insider threat program. ...
- (3) Operational exercises not conducted. ...
- (4) No operational security (OPSEC) program.
The Cyber Incident Response Plan (CIRP) is used as a structured guide in the event an agency and/or higher-learning institution experiences a cyber incident. The CIRP helps these state entities with assessing, reviewing, responding to, and recovering from the adverse effects of cyber incidents.
What are the 7 steps in incident response? ›
Understanding the Theory Behind Incident Response
- Preparation.
- Threat Detection.
- Containment.
- Investigation.
- Eradication.
- Recovery.
- Follow-Up.
The five domains in the NIST framework are the pillars support the creation of a holistic and successful cybersecurity plan. They include identify, protect, detect, respond, and recover.
What is the most important phase of incident response? ›
Detection. One of the most important steps in the incident response process is the detection phase. Detection (also called identification) is the phase in which events are analyzed in order to determine whether these events might comprise a security incident.
What is the first rule of incident response investigation? ›
The first rule of incident response is "do no harm".
What is the best face to prevent the incident? ›
The Best Way to Prevent Incidents
- How to identify problems that haven't yet caused incidents. ...
- Review vendor websites and announcements. ...
- Work closely with internal development teams. ...
- Monitor user communities and social media. ...
- Use third party threat assessment and penetration testing services. ...
- Conclusion.
The incident response phases are:
- Preparation.
- Identification.
- Containment.
- Eradication.
- Recovery.
- Lessons Learned.
One of the best ways to approach Incident Response, is to build a plan. Creating a comprehensive plan can help organizations outline clear procedures for their employees to follow when it comes to detecting, controlling and remediating security incidents when they occur.
What is a cyber annex? ›
This Annex assists in providing information about Cybersecurity process in coordination with Information Technology (IT) and Emergency Management (EM) personnel to identify, protect, detect, respond and recover from a cyber security incident affecting the healthcare environment.
Which agency serves as the principal incident manager and consequence management team in response to a national cyber incident? ›
DHS is the primary organization for coordinating national activities during cyber incidents.
Which of the following is an area the c3 voluntary program focuses on? ›
The primary goals of the C³ Voluntary Program are to support industry in increasing cyber resilience, to increase awareness and use of the Cybersecurity Framework, and encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management.
What are the 2 main frameworks for cyber security incident response? ›
These are called Incident Response Frameworks, and two of the most commonly used ones are called the NIST and SANS frameworks. Let's dive into what each of these offers.
What are the three levels of incidents? ›
Incident severity levels are a measurement of the impact an incident has on the business.
| Severity | Description |
|---|
| 1 | A critical incident with very high impact |
| 2 | A major incident with significant impact |
| 3 | A minor incident with low impact |
The NIST incident response process is a cyclical activity featuring ongoing learning and advancements to discover how to best protect the organization. It includes four main stages: preparation, detection/analysis, containment/eradication, and recovery.
What are the 3 key ingredients in a security framework? ›
An Introduction to the Components of the Framework
The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles. The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.
What are the 5 great functions of cybersecurity? ›
Here, we'll be diving into the Framework Core and the five core functions: Identify, Protect, Detect, Respond, and Recover. NIST defines the framework core on its official website as a set of cybersecurity activities, desired outcomes, and applicable informative references common across critical infrastructure sectors.
What are NIST 800 53 requirements? ›
What is NIST 800-53? NIST SP 800-53 provides a list of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management standards and guidelines used by information systems to maintain confidentiality, integrity, and availability.
What type of detected incident allows the most time for an investigation? Scanning incidents are generally reconnaissance attacks. The real damage to a system comes in the subsequent attacks, so you may have some time to react if you detect the scanning attack early.
What are the two incident response phases? ›
The process of Incident response is done in six phases, such as Preparation, Identification, Containment, Eradication, Recovery, and Learning.
What is the difference between alert and incident? ›
Events are captured changes in the environment, alerts are notifications that specific events took place, and incidents are special events that negatively impact CIA and cause an impact on the business.
What is the recommended three step process for assessing a data breach? ›
OAIC suggests a three-stage process: • Initiate: plan the assessment and assign a team or person • Investigate: gather relevant information about the incident to determine what has occurred • Evaluate: make an evidence-based decision about whether serious harm is likely. OAIC recommends that this be documented.
What is the first step in a breach response protocol? ›
- Step 1: Preparation. The goal of the preparation stage is to ensure that the organization can comprehensively respond to an incident at a moment's notice. ...
- Step 2: Identification. ...
- Step 3: Containment. ...
- Step 4: Eradication. ...
- Step 5: Recovery. ...
- Step 6: Lessons Learned.
All entities should have a data breach response plan. Your actions in the first 24 hours after discovering a data breach are often crucial to the success of your response. A quick response can substantially decrease the impact on the affected individuals.
How is an incident detected? ›
Incident detection is the process of identifying threats by actively monitoring assets and finding anomalous activity (NIST, 2018). Once a threat is detected, appropriate actions are taken to neutralize the threat (if it is an active threat at the time of the response) and investigate the incident.
Which three 3 soft skills are important to have in an organization's incident response team select 3? ›
things to look for? In addition to technical expertise and problem solving, cyber incident response team members should have strong teamwork and communication skills. Speaking and writing skills are essential because cooperation and coordination are the key to effective incident response.
What is the first priority when responding to a major security incident? ›
Containment is the top priority once an incident has been detected. Containment should be done as soon as possible to reduce damage and prevent further incidents or destruction of evidence.
What are the 4 main stages of a major incident? ›
Most major incidents can be considered to have four stages: • the initial response; the consolidation phase; • the recovery phase; and • the restoration of normality.
The major incident management process primarily consists of the following steps:
- Stage 1: Identification. Declaring the major incident: ...
- Stage 2: Containment. Assembling the major incident team. ...
- Stage 3: Resolution. Implementing the resolution plan as a change. ...
- Stage 4: Maintenance. Performing a post-implementation review.
The NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.
What are the 6 phases in a cyber incident response plan? ›
Many organisations use NIST's Computer Security Incident Handling Guide as the basis of their incident response plan. It contains six phases: preparation, identification, containment, eradication, recovery and lessons learned.
What are incident response Standards? ›
The Incident response process outlined in this Standard encompasses four phases: Preparation; Detection and Event Analysis; Containment, Eradication and Recovery; and Post-Incident Activity.
How do you increase incident resolution time? ›
Keep Your Numbers Down
- Use a fast and accurate incident management system. A response starts with your Incident Management system. ...
- Cut alert noise and filter non-alerts. ...
- Keep incident acknowledgement times short. ...
- Set priorities from the start. ...
- Use real-time collaboration. ...
- Establish response teams with clear roles.
Incident response planning is important because it outlines how to minimize the duration and damage of security incidents, identifies stakeholders, streamlines digital forensics, improves recovery time, reduces negative publicity and customer churn.
Which of the following describes critical infrastructure and key resource sectors? ›
Critical infrastructure and key resources (CIKR) is the totality of natural and man-made resources upon which a nation depends on for functioning, along with the systems for their processing, delivery and protection.
Is CISA a government agency? ›
The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security (DHS) that is responsible for strengthening cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the ...
What is the purpose of CISA? ›
The Cybersecurity and Infrastructure Security Agency (CISA ) leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.
What are the goals of CISA? ›
CISA's objective is to reduce the likelihood of compromises to election infrastructure confidentiality, integrity, and availability, which are essential to the conduct of free and fair democratic elections.
The NIST incident response process is a cyclical activity featuring ongoing learning and advancements to discover how to best protect the organization. It includes four main stages: preparation, detection/analysis, containment/eradication, and recovery.
What are the 4 phases of the incident response lifecycle defined by NIST? ›
The NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.
Which of the following is a first step for NIST incident response methodology? ›
NIST's incident response cycle has four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication, and recovery, and 4) post-incident analysis.
What is the correct order of the incident response process? ›
Incident Response Phases. Incident response is typically broken down into six phases; preparation, identification, containment, eradication, recovery and lessons learned.
What are the 2 main frameworks for cyber security incident response? ›
These are called Incident Response Frameworks, and two of the most commonly used ones are called the NIST and SANS frameworks. Let's dive into what each of these offers.
What are three actions taken in the detection & analysis phase of the NIST incident response life cycle choose three? ›
Detection and Analysis. Containment, Eradication, and Recovery. Post-Incident Activity.
What are incident response Standards? ›
The Incident response process outlined in this Standard encompasses four phases: Preparation; Detection and Event Analysis; Containment, Eradication and Recovery; and Post-Incident Activity.
What are the 4 main stages of a major incident? ›
Most major incidents can be considered to have four stages: • the initial response; the consolidation phase; • the recovery phase; and • the restoration of normality.
Which three 3 of the following are phases of an incident response 1 point? ›
The Three Elements of Incident Response: Plan, Team, and Tools.
How do you write an incident response plan? ›
Developing and implementing an incident response plan will help your business handle a data breach quickly and efficiently while minimizing the damage.
- STEP 1: IDENTIFY AND PRIORITIZE ASSETS. ...
- STEP 2: IDENTIFY POTENTIAL RISKS. ...
- STEP 3: ESTABLISH PROCEDURES. ...
- STEP 4: SET UP A RESPONSE TEAM. ...
- STEP 5: SELL THE PLAN.
Containment is the top priority once an incident has been detected. Containment should be done as soon as possible to reduce damage and prevent further incidents or destruction of evidence.
What are the eight steps in the incident handling and response process? ›
- Preparation. The preparation phase includes steps taken before an incident occurs. ...
- Detection (identification) One of the most important steps in the incident response process is the detection phase. ...
- Response (containment) ...
- Mitigation (eradication) ...
- Reporting. ...
- Recovery. ...
- Remediation. ...
- Lessons learned.
The security incident response process is centered on the preparation, detection and analysis, containment, investigation, eradication, recovery, and post incident activity surrounding such an incident.
What is the first rule of incident response investigation? ›
The first rule of incident response is "do no harm".
Which of the following is the most important part of an incident response plan? ›
Explanation. The most important aspect of incident response is a well-documented and approved response plan.
What's the first step in handling an incident? ›
What's the first step in handling an incident? Detect the incident. Before you can take any action, you have to be aware that an incident occurred in the first place.
