Incident response lifecycle
Definition
The structured sequence of phases NIST SP 800-61 defines for handling computer security incidents: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. The lifecycle is cyclic; lessons from the final phase feed back into the first.
Related terms
- Containment strategy
- A deliberate decision about how to limit an incident's spread, balancing the need to stop harm immediately against the risk of alerting...
- Eradication
- The phase in which the root cause of an incident is removed from the environment: deleting malware, patching exploited vulnerabilities, revoking compromised...
- Incident response plan
- A formal document that defines an organisation's approach to incident handling: roles and responsibilities, escalation paths, communication procedures, legal and regulatory obligations,...
- Indicators of compromise (IoCs)
- Artefacts observed on a network or system that suggest an intrusion or malicious activity has occurred, such as unusual outbound connections, known-malicious...
- Lessons-learned meeting
- A structured post-incident review, recommended by NIST within approximately two weeks of incident resolution, that examines what happened, what the response did...
Explained in
- The NIST SP 800-61 Incident Response LifecycleThe structured sequence of phases NIST SP 800-61 defines for handling computer security incidents: Preparation, Detection and Analysis, Containment/Eradication...