Fairdinkum > Blog > Cybersecurity > Are Your IT Systems Slow or Under Attack?
Dark Mode

Are Your IT Systems Slow or Under Attack?

Incident Response Phase #2: Identification

The wildfires in California, the hurricane damage in North Carolina and the steady stream of cyberattacks increasing throughout the country show how quickly and unexpectedly any organization’s data becomes threatened. Having an incident response plan (IRP) in place before disaster strikes is vital to not only your company’s recovery but also the messaging around the situation. That is achieved with pre-disaster preparation and documentation.

However, responding to cyber threats is different than responding to natural disasters. To address data breaches, ransomware and DDOS attacks, the IRP needs a second phase: identifying and classifying potential incidents.

Identify the Type of Incident

You notice something weird is happening in your system—an uptick in spam email, the network connection lagging, reports that your website is down or a spike in alerts. Is it a cyberattack or something else?

This is when the Identification Phase of your IRP kicks in. This is the procedure to determine if an incident has occurred and, if so, what type of attack it is, its severity and intensity, and what the impact is on your organization.

The National Institute of Standards and Technology (NIST) offers a document with recommended steps to identify and classify a potential incident:

  • Pinpoint the signs of the potential incidents.
  • Analyze those signs to see if they are a precursor of an incident, an indicator that a breach did occur or false positives.
  • Document all information about the incident. This includes log files before and after the incident, details of the areas of the network impacted and what data may have been compromised.
  • Prioritize incidents. Not all cyberattacks are equal, and it is up to the incident response team to score incidents based on a number of factors, such as data sensitivity, business functions, recoverability, impact of downtime, etc.
  • Notify appropriate stakeholders. Once the incident has been verified as legitimate and prioritized, notification of the departments and people affected should occur rapidly.

Classify the Severity of the Incident

NIST considers prioritization of incidents as the most critical step in the identification phase. This requires classifying or scoring each incident. Classification allows the team to determine how to best allocate resources and put the right people in place for remediation. The Cybersecurity and Infrastructure Security Agency (CISA) developed a scoring system to offer incident response teams guidance through the National Cyber Incident Scoring System (NCISS). This gives organizations a consistent guideline to determine the risk level of an incident. NCISS’s areas for assessment are as follows:

  • Functional impact
  • Observed activity
  • Location of observed activity
  • Actor characterization
  • Information impact
  • Recoverability
  • Cross-sector dependency
  • Potential overall organizational impact

Each of these categories are given a score and the total score is then prioritized into one of six levels of severity: baseline, low, medium, high, severe and emergency.

Once the incident is identified and classified, the IRP moves to Phase 3: Containment.

Category: Cybersecurity
Last Updated: On January 28, 2025