This phase focuses on establishing an effective incident response and management capability to respond to and mitigate cybersecurity incidents. It includes developing an incident response plan, establishing communication protocols, and conducting drills and exercises with the Dark Red Team (DaRT) to test incident response readiness.

In the event of a confirmed security incident, the SOC takes immediate action to contain, mitigate, and resolve the issue. This involves coordinating with relevant teams, such as network engineers, system engineers, software engineers, etc. The SOC follows predefined incident response plans to ensure a swift and effective response.

The SOC conducts in-depth forensic investigations to determine the root cause of security incidents and breaches. They collect and analyze digital evidence, reconstruct the attack timeline, and provide recommendations to prevent similar incidents in the future.

Response Planning (RS.RP):

Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.

  • RS.RP-1: Response plan is executed during or after an incident

Communications (RS.CO):

Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).

  • RS.CO-1: Personnel know their roles and order of operations when a response is needed
  • RS.CO-2: Incidents are reported consistent with established criteria
  • RS.CO-3: Information is shared consistent with response plans
  • RS.CO-4: Coordination with stakeholders occurs consistent with response plans
  • RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness

Analysis (RS.AN):

Analysis is conducted to ensure effective response and support recovery activities.

  • RS.AN-1: Notifications from detection systems are investigated 
  • RS.AN-2: The impact of the incident is understood
  • RS.AN-3: Forensics are performed
  • RS.AN-4: Incidents are categorized consistent with response plans
  • RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

Mitigation (RS.MI):

Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

  • RS.MI-1: Incidents are contained
  • RS.MI-2: Incidents are mitigated
  • RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

Improvements (RS.IM):

Post 288 response activities are improved by incorporating lessons learned from current and previous detection/response activities.

  • RS.IM-1: Response plans incorporate lessons learned
  • RS.IM-2: Response strategies are updated