The PICERL Methodology, formally known as NIST-SP 800-61, provides a framework for incident response (you can find it here). It’s important to view this methodology as a flexible process rather than a strict waterfall model, allowing for movement both forwards and backwards to effectively address incidents.
The six stages of incident response are:
The preparation phase focuses on equipping the Incident Response Team (IRT) to effectively handle incidents. This includes developing playbooks and procedures outlining how to respond to specific incidents, as well as establishing Rules of Engagement to determine whether the team should actively contain threats or monitor them for intelligence.
The IRT must ensure they have the necessary logs, information, and access to effectively conduct responses; lack of access can hinder their effectiveness. Keeping tools and documentation updated, and establishing secure communication channels for ongoing updates to relevant business units and managers, is essential.
Training for both the IRT and other organizational members is critical. Incident Responders should pursue relevant training and certifications while also promoting awareness to prevent the organization from falling victim to threats.
The identification phase involves analyzing data and events to determine whether they classify as incidents, a task typically handled by the SOC but also open to input from the IRT. Incidents can arise from alerts generated by security tools like EDR, IDS/IPS, or SIEM systems, as well as through user reports, emails, or tickets.
The primary goal is to discover incidents and assess their impact and scope. Key questions to consider include:
If an incident is confirmed, the team will transition to the next phase: containment.