Dynamic Incident Response

1. Incident Response Models and Their Limitations

Incident response models provide a structured approach to managing and responding to cybersecurity incidents. These models outline the important phases and steps in the incident response process, helping organizations effectively prepare for, detect, respond to, and recover from incidents. Several incident response models have been developed and adopted by organizations worldwide, each with a unique approach and emphasis.

The Classic Model: PICERL

The classic model used for incident response is the PICERL model (pronounced Pick Earl), developed by Dr. Eugene Schultz in 1990. [1] The PICERL model was refined over the following years by the US Navy, the Carnegie Mellon University Software Engineering Institute, and the SANS Institute. It provides a systematic framework for incident response.

PICERL is an acronym for the following steps:

  • Preparation

  • Identification

  • Containment

  • Eradication

  • Recovery

  • Lessons Learned

Each step builds on the previous one, providing a logical progression from readiness through resolution.

This model is often illustrated as a linear set of steps or as a stepped process, as shown in Figure 1 and Figure 2. In both illustrations, the process starts by preparing the organization for an incident and performing identification steps to discover incidents (e.g., threat hunting, log analysis, incident reporting). When an incident is identified, the incident response team limits its impact by containing it and collecting evidence for analysis. Using this evidence, the incident response team assesses the incident details and eradicates the threat. After the threat is eradicated, the organization recovers from the incident, followed by a lessons learned analysis to improve future incident response.

Six phases shown left to right with arrows: Preparation through Lessons Learned with icons for each step
Figure 1. PICERL Model, Linear
Staircase waterfall diagram showing six PICERL phases descending from Preparation to Lessons Learned with transition labels and a loop-back arrow
Figure 2. PICERL Model, Stepped

The PICERL incident response model provides organizations with a clear framework for responding to incidents and has been widely adopted across the industry. It offers a practical set of steps to follow, and it emphasizes the need for actions that are often overlooked, such as limiting the attacker’s opportunities through containment and learning from incidents to improve future responses.

The NIST Model: SP 800-61

In 2012, the National Institute of Standards and Technology (NIST) published Special Publication 800-61, Computer Security Incident Handling Guide. NIST SP 800-61 provides recommendations for preparing for, detecting, analyzing, and responding to incidents. It describes a process known as the Incident Response Life Cycle, as shown in Figure 3, focusing on four main phases:

  • Phase 1: Preparation

  • Phase 2: Detection and Analysis

  • Phase 3: Containment, Eradication, and Recovery

  • Phase 4: Post-Incident Activity

These phases emphasize the cyclical nature of incident response, with lessons learned feeding back into improved preparation.

Four-phase cyclical flow diagram with arrows linking Preparation through Post-Incident Activity
Figure 3. NIST Incident Response Life Cycle

The NIST model is similar to the PICERL model; however, it prescribes a more flexible approach to the elements that follow incident discovery, summarizing the containment, eradication, and recovery steps in the PICERL model as a single phase. SP 800-61 offers more detailed guidance on the detection and analysis phases, with a post-incident activity phase that emphasizes not only lessons learned analysis (like PICERL) but also the collection and analysis of metrics for future resource allocation, and incident information sharing with a broader community.

NIST SP 800-61 Revision 3 and the Cybersecurity Framework

The evolution from NIST SP 800-61 Revision 2 to Revision 3 reflects a structural change in how NIST positions incident response within organizational cybersecurity programs. While the Revision 2 guide provided tactical incident handling guidance, the Revision 3 guide reframes incident response as an integrated component of broader cybersecurity risk management activities, eliminating the former four-step incident response life cycle model. The new revision, retitled "Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile," aligns incident response with the NIST Cybersecurity Framework 2.0, moving away from the discrete incident handling methodology that characterized the previous version.

This restructuring changes the guidance on how organizations should approach incident response planning and implementation. Revision 3 requires incident response capabilities to be considered across the core CSF guidelines:

  • Govern (GV): The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.

  • Identify (ID): The organization’s current cybersecurity risks are understood.

  • Protect (PR): Safeguards are used to manage the organization’s cybersecurity risks.

  • Detect (DE): Possible cybersecurity attacks and compromises are found and analyzed.

  • Respond (RS): Actions regarding a detected cybersecurity incident are taken.

  • Recover (RC): Assets and operations affected by a cybersecurity incident are restored.

Together, these functions position incident response as one component of a comprehensive cybersecurity program rather than a standalone capability. [2]

The document now serves as a CSF 2.0 community profile, meaning organizations using the Cybersecurity Framework must integrate incident response considerations into their broader risk management processes and control implementations. The formerly circular incident response model is replaced with a flow that aligns with the CSF functions, as shown in Figure 4.

Three-tier diagram mapping CSF functions to incident response phases: Govern/Identify/Protect at bottom feeding into Improvement and a Detect/Respond/Recover cycle at top
Figure 4. NIST SP 800-61 Revision 3 Functions Aligned with the Cybersecurity Framework

Revision 3 shifts from Revision 2’s prescriptive incident-handling procedures to Revision 3’s framework-oriented approach that emphasizes organizational integration. Where Revision 2 provided specific methodologies and workflows for incident response teams, Revision 3 focuses on how incident response activities should inform and be informed by enterprise-wide cybersecurity decisions. As a high-level strategy for organizations, the Revision 3 guide encourages a more holistic view of incident response, embedding it within the overall cybersecurity posture rather than treating it as a standalone function. This is an important evolution. It reflects the growing recognition that effective incident response requires coordination across multiple organizational domains, including IT, legal, communications, and executive leadership. However, it does so by removing the detailed, step-by-step guidance that many incident response teams have relied on to guide the technical aspects of incident response.

Variations on the Classic Model

Many product and consulting service providers publish their own incident response models. These variations are often minor modifications of the PICERL model, with additional emphasis that reflects the publishing organization’s incident response practices and experiences.

For example, several organizations advocate a seven-step incident response model that adds a re-testing step after the lessons learned step.

In the event of a cybersecurity incident, best practice incident response guidelines follow a well-established seven step process: Prepare; Identify; Contain; Eradicate; Restore; Learn; Test and Repeat.
— Applied Risk
Seven steps to implementing a successful incident response plan
Staircase bar chart listing seven numbered steps from Prepare through Test in ascending order
Figure 5. Seven-Step Incident Response Model, Applied Risk BV (a DNV Company)

Other variations include a communication or documentation step following the eradication step. These variations are not substantively different from the PICERL model, but they may offer additional guidance or greater emphasis on specific aspects of incident response important to the publishing organization.

Other guidelines advocate for a circular model. One example is the Virginia Tech Guide for Cyber Security Incident Response. This guide advocates for a response process that includes preparation, identification/detection/analysis, containment, eradication, recovery, and incident closure, returning to the preparation phase.

Circular flow diagram with six phases from Preparation through Incident Closure connected by arrows forming a continuous loop
Figure 6. Virginia Tech Incident Response Process Model

Each of these models aims to provide a structured, organized methodology for incident response, with slight variations that reflect the experiences and priorities of the organization that developed them. While these variations of the classic model may offer additional insights or emphasis, they generally fall short of addressing important shortcomings in how organizations should best respond to modern cybersecurity incidents.

Shortcomings in Existing Models

While these models provide helpful guidance based on their authors' experience, several common shortcomings persist across them, including:

  • Insufficient emphasis on scoping

  • Emphasis on linear models

  • Inadequate resource prioritization guidance

  • Lack of incident verification requirements

  • Lack of root cause analysis

Understanding these limitations helps organizations adapt existing models to better fit their operational needs.

Insufficient Emphasis on Scoping

Scoping in incident response is the process of understanding the breadth of an incident. Neither the NIST SP 800-61 nor the PICERL models explicitly address this important step, which can lead to an incomplete understanding of the incident.

For example, consider an incident in which an analyst identifies that an unauthorized user has been added to a local system. Without proper scoping, the analyst may not realize that they were also added to multiple systems, resulting in an incomplete response. Scoping encourages responders to use available information to better understand the extent of the incident as part of the response effort.

Emphasis on Linear Models

In most representations of the PICERL model, the incident response process is a linear set of steps, starting with preparation and ending with lessons learned. In some adaptations, the process includes an iterative step, couched in phrases such as may or could to indicate the need to return to previous steps.

The NIST SP 800-61 model emphasizes a non-linear approach, with the detection and analysis steps repeated as more affected hosts are identified.

If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them.
— NIST SP 800-61r2 table 3-5
Incident Handling Checklist

However, the need for an iterative loop during containment, eradication, and recovery is not emphasized anywhere else in the NIST SP 800-61r2 document, and it is also missing from the 800-61r3 document. Effective incident response relies on an iterative analysis process to ensure that all affected systems are identified and addressed. The linear models do not provide sufficient guidance on this important aspect of the incident response process.

Inadequate Resource Prioritization Guidance

Few organizations have unlimited resources to respond to incidents. When responding to an incident, organizations need to prioritize available resources to respond effectively in alignment with business imperatives.

Neither the NIST SP 800-61 nor the PICERL models call out the need for resource prioritization, which can lead to inefficient resource use during incident response. This has the greatest impact when an incident affects multiple systems used by an organization, as the organization may not have the resources to respond to all affected systems concurrently. Further, aligning the business needs with the incident response effort is an important factor in ensuring the response is effective.

Lack of Incident Verification Requirements

In some cases, the presence of an incident is immediately clear. A defaced website, for example, is an obvious incident that requires a response. However, it may not always be clear that an event is an incident that requires the attention of the incident response team.

For example, consider the case where an organization receives numerous user complaints that an application server is slow or unresponsive throughout the workday. An investigation by the systems team reveals that the server has several unexpected processes consuming significant CPU and memory. This could represent an event that warrants a response from the incident response team, but it could also be a misconfiguration or a performance issue that does not require an incident response effort.

While implicitly part of the detection and analysis phase in NIST SP 800-61 and the identification phase in PICERL, neither process explicitly requires verifying that the event is an incident that requires a response. This can lead to inefficient resource use and costly responses to events that interrupt other important work.

Lack of Root Cause Analysis

Understanding the root cause of an incident is important to effectively remedy future vulnerabilities. Without understanding the root cause, organizations may find themselves responding to the same incident multiple times, or failing to effectively remedy the vulnerability that led to it in the first place.

For example, consider an incident in which an organization is compromised due to a weak password on a critical system. While changing the weak password would address the exploited vulnerability, root cause analysis would indicate that several other considerations should also be addressed: password complexity policy, password auditing using cracking tools, remote access controls for the system, and more.

Both NIST SP 800-61 and PICERL call for lessons learned analysis and post-incident activities, but neither model explicitly calls out the need for root cause analysis. Root cause analysis is an important element in understanding the nature of the vulnerabilities that led to the incident. Without it, teams often have an incomplete understanding of the incident and an ineffective response effort.

The Need for a Modern Approach

The shortcomings identified in this chapter are not failures of the models themselves but reflections of how incident response has evolved since their introduction. Modern incidents are more complex, affecting multiple systems across diverse environments, and organizations face increasing pressure to respond quickly while managing limited resources.

An effective incident response model should address these gaps directly. It should support an iterative process that accommodates the non-linear nature of real-world incidents. It should guide responders in scoping the breadth of an incident, verifying that an event warrants a response, and prioritizing resources in alignment with business objectives. It should also encourage root cause analysis as a standard part of the response effort.

The next chapter introduces such a model, one designed to reflect the realities of modern incident response while building on the foundational concepts that existing models provide.

1. "Responding to Computer Security Incidents: Guidelines for Incident Handling," UCRL-MA-106650
2. Incident Response Recommendations and Considerations for Cyber Risk Management, retrieved from nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf.