PICERL: You gotto know this!

Hey there! I’m Mohaiminul, and today we’re diving into the world of InfoSec with a focus on the PICERL framework. Think of it as your trusty guide for navigating through cyber storms. We’ll break down each step, from getting prepared to dealing with the aftermath, using real-life examples and not just definitions!

SANS has done an outstanding job in crafting the Incident Response Lifecycle, which stands as a counterpart to the esteemed NIST Incident Response Lifecycle.


Preparation is like getting your team ready for battle in the cyber world. It involves setting up rules (like a playbook) for how to handle security issues and making sure everyone knows them. You also need a plan for what to do if something goes wrong, like who to call and how to fix it. Communication is key, so everyone knows their role and how to reach each other. Plus, keeping good records of what happens is super important – it’s like taking notes during the game so you can learn from mistakes and get better next time. And just like any team, you need the right people with the right skills, so training is a must. Lastly, having the right tools on hand can make all the difference in fighting off cyber threats. So, think of preparation as gearing up your squad for whatever might come their way in the digital world!

  1. Drills: Regular exercises like tabletop simulations prepare teams for real-world incidents.
  2. Documentation: Detailed records help analyze incidents and improve future responses.
  3. Training: Continuous education ensures teams are equipped with the latest skills and knowledge.
  4. Tools: Utilizing appropriate software and hardware enhances incident response capabilities.
  5. Policy: Clear guidelines and rules establish the framework for effective incident handling.


Identification is the art of spotting trouble amidst the noise. It involves setting up vigilant monitoring for sensitive IT systems, analyzing various sources for anomalies, and swiftly reporting any incidents. Assigning dedicated responders, documenting actions, and enhancing threat detection capabilities are essential steps in this process.

  1. Monitoring: Constant surveillance helps catch potential threats early.
  2. Analysis: Scrutinizing log files and alerts reveals signs of suspicious activity.
  3. Reporting: Prompt communication ensures swift response to identified incidents.
  4. Response Team: Assigning dedicated responders ensures immediate action.
  5. Documentation: Detailed records aid in understanding and addressing security issues.


Containment is like putting a lid on a boiling pot to prevent spills and further damage. Its goal is to swiftly limit the impact of a security incident and prevent it from escalating. The SANS containment process involves several critical steps. First, short-term containment measures, like isolating affected network segments or taking down compromised servers, are implemented to halt the incident’s progress. Next, system backups are taken to preserve evidence using forensic tools like FTK or EnCase, ensuring vital information is safeguarded for legal proceedings and further investigation. Finally, long-term containment focuses on implementing temporary fixes to restore production systems while addressing the root cause of the incident, such as removing attacker backdoors or patching vulnerabilities. This multifaceted approach ensures both immediate damage control and the preservation of crucial evidence for future analysis and prevention.

  1. Limiting Damage: Swift containment prevents the spread of cyber threats, minimizing harm.
  2. Preserving Evidence: Taking system backups ensures crucial data is safeguarded for legal purposes.
  3. Halting Progress: Isolating affected network segments stops the incident from spreading further.
  4. Temporary Fixes: Implementing quick solutions allows for the restoration of production systems while addressing underlying vulnerabilities.
  5. Ensuring Security: Containment measures protect vital assets and information from ongoing threats.


Eradication is like performing surgery to remove a harmful tumor. It is the process of eliminating malware and restoring system integrity. The SANS approach involves wiping affected drives, addressing root causes, applying security best practices, and scanning for malware to ensure complete removal.

  1. Complete Removal: It ensures all traces of malware are eliminated from affected systems, preventing further damage.
  2. System Restoration: Wiping and re-imaging drives restores system integrity, allowing for a clean slate.
  3. Root Cause Resolution: Addressing vulnerabilities prevents future compromises, enhancing overall security.
  4. Best Practices Implementation: Upgrading software and disabling unnecessary services fortifies defenses against future attacks.
  5. Malware Scanning: Thorough scans with anti-malware tools ensure no remnants of malicious content remain, ensuring a secure environment.


Recovery is akin to rebuilding after a storm, aiming to restore full system functionality once the threat is neutralized. The SANS recovery procedure follows a structured path. Initially, system owners determine the optimal time to resume operations based on guidance from the CSIRT. Then, thorough testing and verification ensure systems are clean and operating smoothly before going live. Continuous monitoring post-recovery allows for prompt detection of any abnormal activities. Lastly, preventive measures are implemented on restored systems to minimize the risk of recurrence.

  1. Resuming Operations: Recovery ensures that all systems return to normal functioning after an incident, minimizing downtime.
  2. Verification: Thorough testing confirms that systems are clean and fully operational before they go back online.
  3. Continuous Monitoring: Ongoing surveillance post-recovery helps detect any anomalies and ensures system stability.
  4. Preventive Measures: Implementing safeguards on restored systems reduces the risk of future incidents, enhancing overall security.
  5. Collaborative Decision-Making: System owners work closely with the CSIRT to determine the optimal time for restoring services, prioritizing security and operational needs.


Learning from past experiences is vital for improving future incident response efforts. The SANS lessons learned process provides a structured approach to extract valuable insights:

  1. Documentation Completion: Thorough documentation of the incident ensures all relevant details are captured for analysis.
  2. Incident Report Publication: A comprehensive incident report is published, offering a detailed account of the incident and addressing key questions.
  3. Performance Improvement Identification: Lessons are drawn from the incident report, focusing on areas where response efforts could be enhanced.
  4. Benchmark Establishment: Metrics derived from the incident report serve as benchmarks for evaluating future incident response performance.
  5. Lessons Learned Meeting: A meeting with the CSIRT team and stakeholders is held to discuss the incident and implement immediate improvements based on lessons learned.

Leave a Reply

Your email address will not be published. Required fields are marked *