State of the Practice of Computer Security Incident Response Teams (CSIRTs)

[Abstract]   [Title Page]
[Who is the CERT CSIRT Development Team and What Do They Do?]   [Preface]
[Acknowledgements]   [1 Introduction]   [2 Computer Security Incident Response Teams]
[3 Current State of the Practice of CSIRTs]   [4 Summary]   [5 Future Work]
[6 Closing Remarks]  [Appendix A: CSIRT Organizational Survey]
[Appendix B: Comparison of Incident Response Steps and Processes]
[Appendix C: Training Sources for CSIRTs]   [Appendix D: Cyber Crime Law Resources]
[Appendix E: Sample Incident Reporting Forms and Flowcharts]   [Bibliography]   [PDF File]

Acknowledgements

We would like to express our deep appreciation to our colleagues in the incident handling community who either reviewed this document or provided information for inclusion in this document.

Andreas Bunten, DFN-CERT

Andrew Cormack, UKERNA

John Green, JANET-CERT

Cristine Hoepers, NBSO/Brazilian CERT

Yurie Ito, JPCERT Coordination Center

Juan Carlos Guel Lopéz, UNAM-CERT

Rob McMillan, Commonwealth Bank of Australia

Liliana Velásquez Solha, CAIS/RNP, Brazilian Research Network

Moira West-Brown, former team lead for the CERT/CC incident handling team and the CERT CSIRT Development Team

They gave us insight, recommendations and suggestions; provided information and resources we would not otherwise have had access to; and generally helped to make this a better document. Thank you all very, very much.

We want to thank every organization that completed our pilot survey. Without the representatives from these CSIRTs taking time to complete the survey, we would not have had the initial data presented here. For reasons of confidentiality, we cannot list their names here, but they know who they are and again, we thank you most deeply.

We would like to acknowledge and thank the following people for their contributions, support, and assistance in the production of this document.

Barbara Laswell - who never wavered in providing her support, encouragement, and guidance as we set about our research and analysis, and who provided us the time and resources to undertake this work.
Moira West-Brown, Don Stikvoort, and Klaus-Peter Kossakowski - for initially writing the first edition of the Handbook for CSIRTs [West-Brown 03], stimulating our thoughts and inspiring us to take the next steps in our CSIRT development work.
Katherine Fithen for her continued support of our CSIRT development activities and for being an excellent resource, advisor, and friend.
Pamela Curtis - for her dedication and perseverance in guiding us through the technical report process, editing our multitude of changes, and helping give the document one voice.
Stephanie Rogers - for researching legal issues as they apply to incident response and providing us with links to relevant legal resources.
Sheila Rosenthal and Terry Ireland - our library staff, for their incredible researching skills, assistance, and support.
David Biber - our graphics artist, who helped us with the graphics in this publication and helped with the production of the example documents included in Appendix E.
Diane Bradley and Pam Williams - who help us daily to synthesize, review, and organize information and whose support helps us to continue to be effective in the work we do.