ELI5: What is the NIST IR Lifecycle?
NIST wrote the official step-by-step plan for handling a security problem: get ready, spot the problem, stop and fix it, then review what happened. It is the playbook everyone follows.
Definition
The NIST Incident Response lifecycle, defined in NIST SP 800-61 (Computer Security Incident Handling Guide), provides a four-phase framework for managing security incidents. It is the most commonly referenced IR framework for Security+ and provides a structured approach to handling incidents from preparation through post-incident improvement.
Key Details
- Phase 1 - Preparation: build the IR team, create playbooks, deploy detection tools, train staff, conduct exercises
- Phase 2 - Detection & Analysis: identify incidents, determine scope/severity, prioritize response
- Phase 3 - Containment, Eradication & Recovery: isolate systems, remove threats, restore operations
- Phase 4 - Post-Incident Activity: lessons learned, report writing, process improvement
- The lifecycle is iterative — lessons learned from Phase 4 improve Phase 1 preparation for future incidents
Connections
- Parent: incident-response — the NIST IR lifecycle is the primary framework for incident response
- See also: preparation