Analecta Cyber Company Blog: Calling a Spade a Spade… Incident Classification and Your Response Plan


Calling a Spade a Spade… Incident Classification and Your Response Plan

Incident severity rating matrix Analectta-LLC graphic Incident Classification and your response plan banner graphic During a cybersecurity incident response, decisions need to be made quickly and accurately. One way to speed up response is to tailor YOUR incident response strategies and tasks to different types of cybersecurity incidents. By creating an incident classification framework or matrix, you will be able to prioritize incident response efforts and develop meaningful metrics for future remediation.

Incident classification

NIST Cybersecurity Framework recommends that incidents be classified consistent with the response plan, but what does that look like in practice? When you consider your incident response plan, assigned tasks will differ based on the mechanics of a given attack. Is it a spearphishing attempt to gain access to login credentials? or is it an attack against your public web server? Incident response for these two attacks will have different remediation steps that you will implement once you have classified the attack.

The MITRE Corporation, an American not-for-profit company that works across government through federally funded research and development centers, maintains the Common Attack Pattern Enumeration and Classification (CAPEC). CAPEC breaks down attack patterns into two main classifications: 
  1. Mechanisms of the attack - How did the attacker successfully exploit a vulnerability?
  2. Domain of attack - Was the attack focused on hardware, software, supply chain, etc.?
Use these two CAPEC classifications to understand more about attacks that compromise your company. As you experience additional attacks, even unsuccessful ones, add additional details or subcategories as necessary.   

Getting further in the weeds: Determining the severity and classification of the attack

Incident classification informs and improves your response plan even better when paired with incident severity ratings. Just like a risk assessment, the severity rating that you give to a particular type of incident, spearphishing for example, may be completely different from another company. Severity ratings are based on 1) the likelihood of an incident occurring, paired with 2) the impact the incident will have on your business.

Incident severity rating matrix Analectta-LLC graphic
An Incident Severity Rating Matrix pairs the Likelihood of an event occurring in your environment to the Impact it will have on your networks and systems.

In the severity rating matrix above, four severity ratings are used: Low, Medium, High and Emergency. It is common practice to have three to five levels of severity rating, however, you can use as many as needed for your organization. In addition to severity ratings, you can add additional categories to your incident classification matrix such as root cause, data exposed, type of impact and more.

Use incident classification to promote your response

Now that you have classified the attack based on type of incident and severity rating, tie it to your response plan. Include specific metrics for acceptance, containment and resolution within your incident response plan or service level agreement (SLA) if you are contracting out incident response duties.

Plan ahead and identify potential mitigation strategies for attacks from different vectors and include them in the response plan. NIST guidance specifies that definitive classification of incidents based on attack vector is not the end goal. Rather, these classifications are to be used as a basis for defining more specific handling procedures. Provide examples within your response plan of how your company would handle an attack from improper usage, removable media, the internet and other means. It does not have to be broken down into the various ways an email attack can occur, but it should have suggestions on mitigation strategies for the major attack vectors.

Incident classification matrix - Analecta LLC Graphic
An Incident Classification Matrix is used by the Information Security Team (IST) upon receipt of an event (Acceptance), the Containment of the event and the Recovery of the system back to it’s pre-attack state

Consider including expected response times (a.k.a. resolution times) in your classification matrix as well. These expectations can give your incident response team guidelines on how to proceed.

Start the new year off right!

Still unsure on where to start? Contact us about our 96-point Cyber Risk Assessment. Using a holistic approach and industry-standards, our Cyber Risk Assessment enables small and medium-sized businesses to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. Our assessment identifies the most important next steps in your firm’s cybersecurity program to maximize protection. Email us at or visit our Cybersecurity website.

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessment for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives.

Analecta LLC Logo

No comments :

Post a Comment