Incident Report Analysis
using NIST CSF
Analysed a DDoS attack on an organisation's network using the NIST Cybersecurity Framework — structuring a full incident response across all five functions: Identify, Protect, Detect, Respond, and Recover.
Overview
What Happened
The organisation experienced a sudden and complete loss of network services. Investigation revealed the cause: a DDoS attack using an ICMP flood, which overwhelmed network capacity and blocked all legitimate traffic.
The team responded by blocking the attack at the firewall and shutting down non-critical services to restore critical systems first. I then produced a structured incident analysis using the five functions of the NIST Cybersecurity Framework.
Framework Applied
NIST CSF — Five Functions
Detailed Findings
Response Breakdown
🔎 Identify
A malicious actor targeted the organisation with an ICMP flood attack. The entire internal network was affected — all critical network resources needed to be secured and restored to a functioning state.
🛡️ Protect
A new firewall rule was implemented to limit the rate of incoming ICMP packets. An IDS/IPS system was deployed to filter suspicious ICMP traffic based on known attack signatures, preventing the same attack vector from being exploited again.
📡 Detect
Source IP address verification was configured on the firewall to detect and block spoofed IPs — a common technique in ICMP flood attacks. Network monitoring software was deployed to provide ongoing visibility into traffic anomalies.
⚡ Respond
A formal response protocol was established: isolate affected systems to limit further disruption, restore critical services, analyse network logs for indicators of compromise, and report to management and relevant legal authorities where applicable.
🔄 Recover
Recovery was sequenced to minimise downtime: block ICMP floods at the firewall → suspend non-critical services → restore critical services → once the packet flood timed out, bring all remaining systems back online.
Key Takeaways