Incident Mitigation

Updated Jan 30, 2024 ·

Incident Mitigation Mode

Once the full incident response team assembles, they move beyond isolation and quarantine, entering full mitigation mode to control damage and loss.

The National Institute for Standards and Technology (NIST) outlines six criteria to assess potential containment strategies.

Damage and Theft Potential
- Assess risk to sensitive data and resources.
- Ensure containment limits unauthorized access.
Evidence Preservation
- Focus is on preserving evidences.
- Protect evidence for legal and forensic needs.
- Avoid strategies that delete or corrupt key data.
Service Availability
- Responders should evaluate service availability requirements.
- Balance containment with maintaining essential services.
- Consider segmenting affected systems to limit impact.
Time and Resources
- Estimate time and staff needed for containment.
- Ensure resources are available for quick action.
Effectiveness
- Determine if the strategy fully or partially contains the threat.
- Consider partial fixes if full containment is not immediate.
Duration
- Evaluate how long the containment will be effective.
- Plan for transitioning from temporary to permanent fixes.

Organizations should use these criteria to balance security and business needs during incident response.

Strategies should align with business needs while maintaining security objectives.
Incident responders should use judgment and consult management and stakeholders when possible.

Containment actions may alert the attacker, causing them to accelerate harmful activities.

Attacker may speed up activities to cause more damage.
Attacker might destroy evidence or perform other actions to hinder the response.

After containment, the organization should reach a semi-stable state where: