Anyhow, the new 3rd revision of NIST 800-61 (formerly the Computer Security Incident Handling Guide) is fan-fucking-tastic.
It makes huge changes to the recommendations for process improvement, including not waiting until an incident is wrapped up to share your "lessons learned."
It also rips apart the traditional "phases" of incident response and re-maps the tasks in them to CSF 2.0 "functions." It even includes specific CSF 2.0 controls for each IR function.
Instead of phases of Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activities we now have, Govern, Identify, Protect, Detect, Respond, and Recover.
This is way more closely aligned with how real world incidents play out in this, our most cursed timeline.
The document focuses far less on the "plan" for incident response and far more on the controls behind a good IR program.
I'm very happy with these changes, especially since I'm diving in to the document to prepare for a big IR plan update at work.
A++, NIST.
I am way too excited about a compliance document.
#CyberSecurity #DFIR #IncidentResponse #InformationSecurity