State of the Practice of Computer Security Incident Response Teams (CSIRTs)
[Abstract] [Title Page] [Who is the CERT CSIRT Development Team and What Do They Do?] [Preface][Acknowledgements] [1 Introduction] [2 Computer Security Incident Response Teams] [3 Current State of the Practice of CSIRTs] [4 Summary] [5 Future Work] [6 Closing Remarks] [Appendix A: CSIRT Organizational Survey] [Appendix B: Comparison of Incident Response Steps and Processes] [Appendix C: Training Sources for CSIRTs] [Appendix D: Cyber Crime Law Resources] [Appendix E: Sample Incident Reporting Forms and Flowcharts] [Bibliography] [PDF File]
Appendix E: Sample Incident Reporting Forms and Flowcharts
This appendix includes several guidelines, procedures, and templates related to the incident handling function. Those for which we obtained reprint permission from the author or publisher are reproduced in full as part of this appendix. Others for which we had not received permission as of the publication date are listed with references to their materials and/or a link to online information at the end of the appendix. We encourage our readers to peruse these examples as additional resources that are of interest to CSIRT staff.
Sample
Forms
[CERT Coordination Center] [CIO/FBI/USSS] [Kruse
and Heiser] [Nebraska Information
Technology Commission]
[SANS] [Steele] [United
States Secret Service] [Van Wyk and
Forno] [Other Incident Reporting
Forms Sources]
CERT Coordination Center
The CERT/CC has both a text-based reporting form and an automated incident reporting form. The text-based form has been included here.
Both forms are available online
(see the "Communicate With Us" box on the right-hand side of the page).
-----BEGIN PGP SIGNED MESSAGE-----
version 5.2, April 2000CERT(R) Coordination Center
Incident Reporting FormCERT/CC has developed the following form in an effort to gather incident information. If you believe you are involved in an incident, we would appreciate your completing the form below. If you do not believe you are involved in an incident, but have a question, send email to: cert@cert.org
Note that our policy is to keep any information specific to your site confidential unless we receive your permission to release that information.
We would appreciate any feedback or comments you have on this Incident Reporting Form. Please send your comments to: cert@cert.org
Submit this form to: cert@cert.org. If you are unable to send email, fax this form to: +1 412 268 6989
Your contact and organizational information
1. name......................:
2. organization name.........:
3. sector type (such as banking, education, energy
or public safety).........:
4. email address.............:
5. telephone number..........:
6. other.....................:
Affected Machine(s) (duplicate for each host)
7. hostname and IP...........:
8. timezone..................:
9. purpose or function of the host (please be as specific
as possible)..............:
Source(s) of the Attack (duplicate for each host)
10. hostname or IP...........:
11. timezone.................:
12. been in contact?.........:
13. Estimated cost of handling incident (if known)...............:
14. Description of the incident (include dates, methods of intrusion, intruder tools involved, software versions and patch levels, intruder tool output, details of vulnerabilities exploited, source of attack, or any other relevant information):
Copyright 2003 Carnegie Mellon University
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see
http://www.gnupg.org
iQCVAwUBP410w5Z2NNT/dVAVAQGlCgP/WZlEvbsNW04pRytLssVMEPd4RT7qshxssjtdp5IDFAA4RUnC2UxLGI
HCyqihGawK45XUafD26fulh0yPISxg3Ev5b+4u7lM1GKjVcjtA0jtbW7UfQwBpkaPCJuVyhEOMMLRuWNCUF3Id
FoJfuoFrcQ0tTJ26pUkA
MXrIR2S011U=
=xQHt
-----END PGP SIGNATURE-----Reprinted with permission from the CERT® Coordination Center.
The document is available online.
Sample
Forms
[CERT Coordination Center] [CIO/FBI/USSS] [Kruse
and Heiser] [Nebraska Information
Technology Commission]
[SANS] [Steele] [United
States Secret Service] [Van Wyk and
Forno] [Other Incident Reporting
Forms Sources]
CIO/FBI/USSS
These are the CIO Cyberthreat Response and Reporting Guidelines, published by CIO in conjunction with the FBI and the USSS [CIO 02]. The document provides, in addition to the guidelines, a number of law enforcement contact information, FBI-USSS field contact information, other cyber-threat resources, and a cyber-threat reporting form.
The document is available online.
Sample
Forms
[CERT Coordination Center] [CIO/FBI/USSS] [Kruse
and Heiser] [Nebraska Information
Technology Commission]
[SANS] [Steele] [United
States Secret Service] [Van Wyk and
Forno] [Other Incident Reporting
Forms Sources]
Kruse and Heiser
In their book Computer Forensics, Incident Response Essentials, Kruse and Heiser have included an appendix that provides details on "Internet Data Incident Response Guidelines" [Kruse 02]. They cover the goals of incident response, roles and responsibilities of staff involved in incident response, an incident severity chart, and information on incident handling processes. They have provided several process flowcharts for handling different types of incident activity (Figures A-10, A-11, and A-12, pages 347, 348, and 349), a few of which have been reproduced here. Appendix B provides an Incident Response Form template (pages 353-361), which has also been included here.
The document is available online.
Sample
Forms
[CERT Coordination Center] [CIO/FBI/USSS] [Kruse
and Heiser] [Nebraska Information Technology Commission]
[SANS] [Steele] [United
States Secret Service] [Van Wyk and
Forno] [Other Incident Reporting
Forms Sources]
Nebraska Information Technology Commission
The Nebraska Information Technology Commission (NITC) has developed a set of procedures for reporting security breaches involving Nebraska state agencies. We have reproduced the procedures document in this appendix.
These incident response procedures also include both a short and long form for reporting incidents:
- Computer Incident Reporting Short Form
- State of Nebraska Information Systems Administrator's Incident Reporting Form
The document and forms are available online.
(see the links for the "Security Architecture" section) [Nebraska
02].
Sample
Forms
[CERT Coordination Center] [CIO/FBI/USSS] [Kruse
and Heiser] [Nebraska Information
Technology Commission]
[SANS] [Steele] [United
States Secret Service] [Van Wyk and
Forno] [Other Incident Reporting
Forms Sources]
SANS
SANS provides the following incident handling forms:
- Incident Contact List
- Incident Identification
- Incident Survey
- Incident Containment
- Incident Eradication
- Incident Communication Log
Sample
Forms
[CERT Coordination Center] [CIO/FBI/USSS] [Kruse
and Heiser] [Nebraska Information
Technology Commission]
[SANS] [Steele] [United
States Secret Service] [Van Wyk and
Forno] [Other Incident Reporting
Forms Sources]
Steele
The Information Assurance Technology Analysis Center (IATAC) Volume 5, Number 1 (Spring 2002) newsletter contains an article, "Information Systems Security Incident Response," by Gordon Steele [Steele 02]. One section of the article provides a graphical abstraction of an incident flow timeline. The author presents this approach as a mechanism to allow incident handlers "to envision where they might be at any given point in time" in the incident response process.
The forms are available online.
Sample
Forms
[CERT Coordination Center] [CIO/FBI/USSS] [Kruse
and Heiser] [Nebraska Information
Technology Commission]
[SANS] [Steele] [United
States Secret Service] [Van Wyk and Forno] [Other
Incident Reporting Forms Sources]
United States Secret Service
The USSS has developed a "Cyber Threat/Network Incident Report," Secret Service Form 4017. It is provided in two different formats, an OmniForm Mailable Filler and an Adobe Acrobat PDF. The PDF version has been included here [USSS 01].
The forms are available online.
Sample
Forms
[CERT Coordination Center] [CIO/FBI/USSS] [Kruse
and Heiser] [Nebraska Information
Technology Commission]
[SANS] [Steele] [United
States Secret Service] [Van Wyk and Forno] [Other
Incident Reporting Forms Sources]
Van Wyk and Forno
In their book Incident Response, van Wyk and Forno provide an example for one approach in documenting information in an incident report [van Wyk 02]. The topics covered in the sample report are
- incident chronology
- comments and recommendations
- law enforcement coordination
- damage assessment
- management review
The forms are available online.
Sample
Forms
[CERT Coordination Center] [CIO/FBI/USSS] [Kruse
and Heiser] [Nebraska Information
Technology Commission]
[SANS] [Steele] [United
States Secret Service] [Van Wyk
and Forno] [Other Incident Reporting Forms Sources]
Other Incident Reporting Forms Sources
Computer Incident Response Guidebook
Module
19, "Information
Systems Security (INFOSEC) Program Guidelines"
FCC Computer Security Incident Response Guide
Incident
Response: Investigating Computer Crime, by Kevin Mandia and Chris Prosise
Osborne/McGraw-Hill,
2001, page 18.
Cyber Threat and Computer
Intrusion Incident Reporting Guidelines
U.S. Department of Homeland Security Information Analysis Infrastructure Protection
State of Vermont Incident Handling Procedures (http://www.cio.state.vt.us/pdfs/sov_intrusion_procedures.pdf)
Advance
Planning for Incident Response and Forensics
Cupertino,
CA: Symantec Corp., November 2001
[Abstract] [Title Page] [Who is the CERT CSIRT Development Team and What Do They Do?] [Preface]
[Acknowledgements] [1 Introduction] [2 Computer Security Incident Response Teams] [3 Current State of the Practice of CSIRTs] [4 Summary] [5 Future Work] [6 Closing Remarks] [Appendix A: CSIRT Organizational Survey]
[Appendix B: Comparison of Incident Response Steps and Processes] [Appendix C: Training Sources for CSIRTs] [Appendix D: Cyber Crime Law Resources] [Appendix E: Sample Incident Reporting Forms and Flowcharts] [Bibliography] [PDF File]