Cyber Strategy

This is Part 2 of a two-part review series. Read Part 1.

Demystifying Cybersecurity: A Ransomware Incident is a four-part video series developed by The Cyber Guild in partnership with College Board. Organized around the National Institute of Standards and Technology (NIST) Incident Response Lifecycle (IRL), the series uses a real-world ransomware scenario to illustrate how cybersecurity incidents unfold and how organizations prepare for and respond to them.

The final two videos, Detect, Contain, Investigate and Build Cyber Resiliency, focus on the following steps from the NIST IRL: Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity.

See Part 1 of this review series for an overview of the NIST IRL.

What is the NIST Cybersecurity Framework?

The Cybersecurity Framework 2.0 (CSF) from NIST is the gold standard for US organizations to follow when developing their cybersecurity practices. The framework is divided into 6 functions: Govern, Identify, Protect, Detect, Respond, and Recover (see Figure 1 below).

---

Below is a brief description of the final three functions, which align with the content covered in Videos 3 and 4 of the Demystifying Cybersecurity series.

Function: Detect

(Possible cybersecurity attacks and compromises are found and analyzed.)

Categories: Continuous Monitoring and Adverse Event Analysis

Continuous Monitoring: assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events

Components:

• Networks and network services are monitored to find potentially adverse events
• The physical environment is monitored to find potentially adverse events
• Personnel activity and technology usage are monitored to find potentially adverse events
• External service provider activities and services are monitored to find potentially adverse events
• Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Adverse Event Analysis: anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents

Components:

• Potentially adverse events are analyzed to better understand associated activities
• Information is correlated from multiple sources
• The estimated impact and scope of adverse events are understood
• Information on adverse events is provided to authorized staff and tools
• Cyber threat intelligence and other contextual information are integrated into the analysis
• Incidents are declared when adverse events meet the defined incident criteria

Function: Respond

(Actions regarding a detected cybersecurity incident are taken.)

Categories: Incident Management, Incident Analysis, Incident Response Reporting and Communication, and Incident Mitigation

Incident Management: responses to detected cybersecurity incidents are managed

Components:

• The incident response plan is executed in coordination with relevant third parties once an incident is declared
• Incident reports are triaged and validated
• Incidents are categorized and prioritized
• Incidents are escalated or elevated as needed
• The criteria for initiating incident recovery are applied

Incident Analysis: investigations are conducted to ensure effective response and support forensics and recovery activities

Components:

• Analysis is performed to establish what has taken place during an incident and the root cause of the incident
• Actions performed during an investigation are recorded, and the records’ integrity and provenance are preserved
• Incident data and metadata are collected, and their integrity and provenance are preserved
• An incident’s magnitude is estimated and validated

Incident Response Reporting and Communication: response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies

Components:

• Internal and external stakeholders are notified of incidents
• Information is shared with designated internal and external stakeholders

Incident Mitigation: activities are performed to prevent expansion of an event and mitigate its effects

Components:

• Incidents are contained
• Incidents are eradicated

Function: Recover

(Assets and operations affected by a cybersecurity incident are restored.)

Categories: Incident Recovery Plan Execution and Incident Recovery Communication

Incident Recovery Plan Execution: restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents

Components:

• The recovery portion of the incident response plan is executed once initiated from the incident response process
• Recovery actions are selected, scoped, prioritized, and performed
• The integrity of backups and other restoration assets is verified before using them for restoration
• Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms
• The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed
• The end of incident recovery is declared based on criteria, and incident-related documentation is completed

Incident Recovery Communication: restoration activities are coordinated with internal and external parties

Components:

• Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders
• Public updates on incident recovery are shared using approved methods and messaging

The NIST CSF provides organizations with a roadmap to ensure that all components of secure cyber operations are developed, including those that are relevant pre-, during, and post-incident.

Videos 3 and 4 in this series highlight practices that align with components of the NIST CSF.

---

Key Points in Video 3: Detect, Contain, Investigate

Video 3 (Detect, Contain, Investigate) covers the major phases of cyber incident response.

Key points include:

• Most cyberattacks begin with something small (ex. a screen that won’t load)
• Detection isn’t about panic, it’s about identifying patterns
• You need a baseline of your cyber environment so that you know when something is off or wrong
• Incident response teams need to be well-prepared and ready to go at a moment’s notice, much like fire fighters or other first responders

Personal Reactions to Video 3: Detect, Contain, Investigate

I found this to be a highly informative video, which will reward multiple views to best absorb all of its content.

When shared with younger viewers (my 8th-grade twins), they noted that:

• Human connections are important: ensure clear communications by having contact phone numbers at hand
• Preparation is important, and lots of options were offered
• There was a lot of info presented and they both kind of zoned out some during the video. I agree that this video requires more focused attention than the others in the series.

Main Takeaway – The Human Element

As we learned in Video 1: Why Cybersecurity Matters, it is humans who are the first to respond to a cyber incident.

Two main points from Video 3 relate to that human element:

• Incident response plans require clear details about communications: who to contact both inside and outside the organization, contact phone numbers, etc.
• Tools won’t solve every problem: you still need the human element to ensure that the right tool is used

Having a clear communications plan begins during the preparation phase of the IRL, but it is during the response phase that communications are most important.

Not only should the right people on the response team know who to contact and when, but it is vital to build relationships with those other stakeholders ahead of time to ensure the most effective working relationship. Cultivating those relationships is something that AI cannot replicate.

AI is also unlikely to be able to make the right call consistently regarding which tool to use and when, since people are best equipped to understand the business and human needs that must inform incident response.

---

Key Points in Video 4: Build Cyber Resiliency

Video 4 (Build Cyber Resiliency) covers the fourth and final phase of the NIST IRL: Post-incident Activity. This is what is often called the lessons learned process.

Key points include:

• Three crucial questions to ask post-incident: How do we keep operations from failing again? How do we rebuild trust? How do we handle the financial and legal fallout without compounding the damage?
• What comes after isn’t cleanup, it’s strategy
• Having backups of systems and data is very important
• Data retention policies are important: how long should sensitive data be retained? Do we really need to retain certain data?
• Employee responsibilities for data security should be clear in the employee handbook

Main Takeaway – Data Retention and Incidents as Learning Opportunities

I really like the point that is made about data retention policies. Having clear policies in place regarding how long data should be retained, or specifying which types of data must be retained and which types do not need to be, can improve security and lower resource usage for an organization.

If there is no need to hold on to data that attackers might target, then do not retain it. This reduces your attack surface and improves security.

Additionally, organizations must learn from each incident that occurs, so that future incidents can be avoided and incident response can become more effective. Using lessons learned to drive security improvements means that similar incidents are less likely to occur again. Organizations must be able to move forward from a mishap and regain trust that was lost.

---

Final Thoughts

Demystifying Cybersecurity: A Ransomware Incident is a well-produced and excellent introduction to the world of cybersecurity. Viewers with no prior knowledge of the topic will come away with a deeper understanding of why cyber is important and how cyber attacks impact real people and systems that we interact with every day.

Video 3 and 4 do an excellent job of guiding the viewer through the remaining phases of the NIST IRL. Not only are viewers introduced to an important framework for incident response, but the use of a ransomware incident is useful because those incidents are often discussed in the news and understood by people all of all ages.

---

Are you ready to take the next step in your cybersecurity journey?

The Cyber Guild connects leaders, practitioners, and emerging talent through events, mentorship, and community.

👉 Explore upcoming events
👉 Subscribe to our mailing list
👉 Learn more about RISE Mentorship