State of the Practice of Computer Security Incident Response Teams (CSIRTs)

[Abstract]   [Title Page]
[Who is the CERT CSIRT Development Team and What Do They Do?]   [Preface]
[Acknowledgements]   [1 Introduction]   [2 Computer Security Incident Response Teams]
[3 Current State of the Practice of CSIRTs]   [4 Summary]   [5 Future Work]
[6 Closing Remarks]  [Appendix A: CSIRT Organizational Survey]
[Appendix B: Comparison of Incident Response Steps and Processes]
[Appendix C: Training Sources for CSIRTs]   [Appendix D: Cyber Crime Law Resources]
[Appendix E: Sample Incident Reporting Forms and Flowcharts]   [Bibliography]   [PDF File]

Appendix B: Comparison of Incident Response Steps and
Processes


Type and Title of Publication	Author(s)	Step or Process	Material Covered and/or Other Comments
Books
CERT Guide to System and Network Security Practices	Julia Allen [Allen 01]	Analyze information Communicate Collect and protect information Contain Eliminate all means of intruder access Return systems to normal operations Implement lessons learned	For comparison with the other references in this table, the "response" steps have been identified. This is a resource book for system/network administrators to harden/secure systems; prepare for, detect, and respond to security events and activity; and improve security configurations and procedures.
Computer Forensics, Incident Response Essentials	Warren G. Kruse II and Jay G. Heiser [Kruse 02]	Discovery and Report Incident Confirmation Investigation Recovery Lessons Learned/ Recommendations	Technical, focusing on the investigation process (not on the incident response issues team management perspective)
Incident Response	Kenneth R. van Wyk and Richard Forno [van Wyk 01]	Identification Coordination Mitigation Investigation Education	Written for management interested in building a team and issues that will need to be faced. Also focuses on responding to incidents and gives technical references/coverage of tools of the trade, typical attacks, etc.
Incident Response: A Strategic Guide to Handling System and Network Security Breaches	Eugene Schultz and Russell Shumway [Schultz 02]	Preparation Detection Containment Eradication Recovery Follow-up	Information relating to the forming, managing, and operating of a team. Good discussion of some of the issues that will be faced by team leads.
Incident Response: Investigating Computer Crime	Kevin Mandia and Chris Prosise [Mandia 01]	Pre-incident preparation Detection Initial response Response strategy formulation Duplication (forensic backup) Investigation Security measure implementation Network monitoring Recovery Reporting Follow-up	The primary focus of the book is on investigation and specific techniques that can be used for investigating various types of incidents.
System Security: A Management Perspective	David L. Oppenheimer, David A. Wagner, and Michele D. Crabb [Oppenheimer 97]	Isolate Identify Contain Terminate Eradicate Recover Perform follow-up	Short topics booklet that describes security issues at a high level for management
Articles/Guides/White Papers/Special Publications
Advance Planning for Incident Response and Forensics	Symantec Corp. [Symantec 01]	Identify vital assets Hire experienced staff Secure individual hosts Secure your network Monitor devices Establish a response strategy Establish policies and procedures	Overview of topic areas. Provides incident managing services
Computer Security Incident Handling Step by Step	The SANS Institute [SANS 03]	Preparation Identification Containment Eradication Recovery Follow-up	Good reference guide, covered at high level. Outlines the list of actions to be taken at each of the six steps listed.
Information Systems Security Incident Response	IA Newsletter, Gordon Steele [Steele 02]	References the SANS list	High-level overview of incident response, planning, and management (similar to work covered by SANS, Howard).
NIST Special Publication 800-34 Contingency Planning Guide for Information Technology Systems	Marianne Swanson, Amy Wohl, Lucinda Pope, Tim Grance, Joan Hash, Ray Thomas [Swanson 02]	Protect Sustain Recover/resume	Although focused at IT contingency planning, does contain some references to managing incidents.
Security Architecture and Incident Management for E-business	Internet Security Systems Marc S. Sokol and David A. Curry [Sokol 00]	Incident preparedness Alerting Report and notification Preliminary investigation Decision and resource Allocation Response Recovery Lesson learned	Provides a high-level overview of the IH process.
Securing Information Assets: Planning, Prevention and Response	CIO Focus Guide, CXO Media [CXO 03]	Detect Analyze Contain/eradicate Provide workarounds/ fixes Prevent reinfection Log events Preserve evidence Conduct postmortem/ apply lessons learned	Provides examples of case studies, short reference guides, and checklists. Very high-level senior executive reading material.
Other Documents/Presentations
Computer Security Incident Response Planning	Internet Security Systems [ISS 01]	Alert Triage Response Recovery Maintenance	Describes "phases" of incident response, once an incident is declared.
Responding to Computer Security Incidents: Guidelines for Incident Handling	E. Eugene Schultz, Jr., David S. Brown, Thomas A. Longstaff [Schultz 90]	Protection Identification Containment Eradication Recovery Follow-up	Although an early work (1990), contains similar information about incident handling issues. Also contains specific guidelines for responding to (these early) incidents, viruses, worm attacks. Some discussion of vulnerability issues (mostly focused on UNIX, VMS, etc.) and some information about early tools that were available to assist the incident handling process.
The Methodology of Incident Handling	Matthew McGlashan, Australian Computer Emergency Response Team [McGlashan 01]	Identify scope and assess damage Communicate Collect and protect Apply short-term solutions Eliminate intruder access Return to normal operations Identify and implement lessons learned	High level; slide presentation
Security Architecture and Incident Management for E-business	Internet Security Systems [Sokol 00]	Incident preparedness Alerting Report and notification Preliminary investigation Decision and resource allocation Response Recovery Lessons learned	Provides a high-level overview of best practices for the development of an incident response process.
Incident Response and Reporting Procedure for State Government	State of Nebraska [Nebraska 02]	Detect the incident Analyze the incident Contain or eradicate the problem Provide workarounds or fixes Prevent re-infection Log events Preserve evidence Conduct a postmortem/ apply lessons learned	A draft report summarizing the guidelines for CIO Cyberthreat Response and reporting (applicable to non-education state agencies, boards, and commissions receiving appropriation from the state Legislature, or state agencies that have direct connection to the state's network.
State of Vermont Incident Handling Procedure	State of Vermont [Vermont 01]	Protect Identify Contain Eradicate Recover Follow-up	An interim guideline for incident response within the State of Vermont.
RFC 2196 Site Security Handbook	Barbara Fraser, Editor [Fraser 97]	Notification & exchange of information Protect evidence and activity logs Containment Eradication Recovery Follow-up	Revised version of RFC 1244. Provides practical guidance for administrators on developing computer security policies and procedures.
Computer Incident Response Guidebook	Naval Command, Control and Ocean Surveillance Center [Navy 96]	Preparation Identification Containment Eradication Recovery Follow-up	Training module for the INFOSEC, developed in 1996. Provides brief high-level guidance and procedures for responding to incidents.