Curriculum
Course: Cyber Security
Login

Curriculum

Cyber Security

Text lesson

PICERL – A Methodology

The PICERL Methodology, formally known as NIST-SP 800-61, provides a framework for incident response (you can find it here). It’s important to view this methodology as a flexible process rather than a strict waterfall model, allowing for movement both forwards and backwards to effectively address incidents.

The six stages of incident response are:

Preparation

The preparation phase focuses on equipping the Incident Response Team (IRT) to effectively handle incidents. This includes developing playbooks and procedures outlining how to respond to specific incidents, as well as establishing Rules of Engagement to determine whether the team should actively contain threats or monitor them for intelligence.

The IRT must ensure they have the necessary logs, information, and access to effectively conduct responses; lack of access can hinder their effectiveness. Keeping tools and documentation updated, and establishing secure communication channels for ongoing updates to relevant business units and managers, is essential.

Training for both the IRT and other organizational members is critical. Incident Responders should pursue relevant training and certifications while also promoting awareness to prevent the organization from falling victim to threats.

Identification

The identification phase involves analyzing data and events to determine whether they classify as incidents, a task typically handled by the SOC but also open to input from the IRT. Incidents can arise from alerts generated by security tools like EDR, IDS/IPS, or SIEM systems, as well as through user reports, emails, or tickets.

The primary goal is to discover incidents and assess their impact and scope. Key questions to consider include:

  • What is the criticality and sensitivity of the affected platform?
  • Is the platform used elsewhere, posing a risk of further compromise?
  • How many users and systems are impacted?
  • What credentials have been compromised, and where else might they be reused?

If an incident is confirmed, the team will transition to the next phase: containment.