Home Design Work Security Contact
Incident Response

Incident Report Analysis
using NIST CSF

Analysed a DDoS attack on an organisation's network using the NIST Cybersecurity Framework — structuring a full incident response across all five functions: Identify, Protect, Detect, Respond, and Recover.

Framework
NIST CSF
Attack Type
DDoS / ICMP Flood
Controls Used
Firewall · IDS/IPS

What Happened

The organisation experienced a sudden and complete loss of network services. Investigation revealed the cause: a DDoS attack using an ICMP flood, which overwhelmed network capacity and blocked all legitimate traffic.

The team responded by blocking the attack at the firewall and shutting down non-critical services to restore critical systems first. I then produced a structured incident analysis using the five functions of the NIST Cybersecurity Framework.

NIST CSF — Five Functions

🔎
Identify
Determined attack vector, blast radius, and which critical assets were affected across the internal network.
🛡️
Protect
New firewall rule to rate-limit ICMP packets; IDS/IPS deployed to filter suspicious traffic by characteristic.
📡
Detect
Source IP verification configured on firewall; network monitoring software deployed for ongoing anomaly detection.
Respond
Response playbook defined: isolate, restore critical services, analyse logs, escalate to management and legal.
🔄
Recover
Block at firewall → suspend non-critical services → restore critical systems → bring remaining services back online.

Response Breakdown

🔎 Identify

A malicious actor targeted the organisation with an ICMP flood attack. The entire internal network was affected — all critical network resources needed to be secured and restored to a functioning state.

🛡️ Protect

A new firewall rule was implemented to limit the rate of incoming ICMP packets. An IDS/IPS system was deployed to filter suspicious ICMP traffic based on known attack signatures, preventing the same attack vector from being exploited again.

📡 Detect

Source IP address verification was configured on the firewall to detect and block spoofed IPs — a common technique in ICMP flood attacks. Network monitoring software was deployed to provide ongoing visibility into traffic anomalies.

⚡ Respond

A formal response protocol was established: isolate affected systems to limit further disruption, restore critical services, analyse network logs for indicators of compromise, and report to management and relevant legal authorities where applicable.

🔄 Recover

Recovery was sequenced to minimise downtime: block ICMP floods at the firewall → suspend non-critical services → restore critical services → once the packet flood timed out, bring all remaining systems back online.

What This Demonstrates

Ability to apply the NIST CSF as a structured analytical tool across a real security incident lifecycle.
Understanding of ICMP-based DDoS attacks — how flooding works and how spoofed IPs amplify impact.
Knowledge of defensive controls: firewall rate limiting, IDS/IPS deployment, and source IP verification.
Ability to produce a clear, structured incident report with actionable findings and recommendations.
Awareness of escalation procedures including management notification and legal reporting requirements.
Next Project
File Permissions in Linux →