Introduction

[Abstract]   [Title Page]
[Who is the CERT CSIRT Development Team and What Do They Do?]   [Preface]
[Acknowledgements]   [1 Introduction]   [2 Computer Security Incident Response Teams]
[3 Current State of the Practice of CSIRTs]   [4 Summary]   [5 Future Work]
[6 Closing Remarks]  [Appendix A: CSIRT Organizational Survey]
[Appendix B: Comparison of Incident Response Steps and Processes]
[Appendix C: Training Sources for CSIRTs]   [Appendix D: Cyber Crime Law Resources]
[Appendix E: Sample Incident Reporting Forms and Flowcharts]   [Bibliography]   [PDF File]

1 Introduction

Keeping organizational information assets secure in today's interconnected computing environment is a true challenge that becomes more difficult with each new "e" product and each new intruder tool. Most organizations realize that there is no one solution for securing systems and data; instead a multi-layered security strategy is required.

Figure 1: Multi-Layered Infrastructure Defense

One of the layers that many organizations are including in their strategy today is the creation of a computer security incident response team, or CSIRT.

Motivators driving the establishment of CSIRTs today include

a general increase in the number and type of organizations being affected by computer security incidents

a more focused awareness by organizations on the need for security policies and practices as part of their overall risk-management strategies

new laws and regulations that affect how organizations are required to protect information assets

the realization that systems and network administrators alone cannot protect organizational systems and assets

Although CSIRTs have been in existence since 1988, the development of CSIRTs and the incident response field is still in its infancy. It has not yet become a standardized field of practice but it is rapidly moving to a more standardized discipline. Many organizations are looking to formalize their incident response methodologies, processes, and organizational structures.

As organizations move to establish dedicated¹ or ad hoc² CSIRTs they are actively looking for guidance to see what has worked for other similar organizations. They want to know how many staff a CSIRT in a similar sector has, how they operate their incident response service, or what tools they use to record and track incident reports.

Currently there are no standard answers to these questions. CSIRTs can take many forms and have different requirements, responsibilities, functions, and structures.³ We have seen CSIRTs whose staff only review intrusion detection logs, while other CSIRT staff recover and rebuild systems, provide security awareness training, analyze artifacts⁴, publish alerts and advisories, and perform security audits and consulting.

This report is a start at collecting information about CSIRTs across a very broad canvas of activities.

The information for this report was gathered through

our collective experiences in working with CSIRTs in the incident response work we have done over the years, the collaborations we have had, and the courses that we teach

a literature search and review of related articles, books, and other documents concerning incident response, including existing or pending laws, legislation, and regulations that will have an impact on incident response work

a pilot survey of CSIRT organizational structures. This survey was distributed to course attendees at the 14th Annual Computer Security Incident Handling Conference (FIRST) Conference in Hawaii in 2002 and to various other CSIRTs. Appendix A contains a copy of the pilot survey form.⁵

conducting follow-up discussions with CSIRTs who completed the survey and stated that they would participate in follow-up work

collaborating with team members and other experts in the CSIRT environment to gather information on current processes, projects, and response trends

researching and reviewing existing CSIRT-related, computer security-related, and incident response-related web sites and corresponding articles and white papers at those sites

1.1 Purpose of the Document

The purpose of this report is to provide an objective study of the state of the practice of CSIRTs and to present this information in a manner that will be beneficial for the CSIRT community. The report attempts to synthesize information about how those in the CSIRT field are operating their teams, and then provide this information as a resource to both new teams that are setting up their operations and existing CSIRTs that are interested in benchmarking their operations.

The report will also serve as a reference for CSIRTs, as it will provide a consolidated resource of information on CSIRT projects; literature; training, legal, and operational issues; and sample CSIRT processes and structures.

The information collected will also be used as the basis for identifying areas for further research and best practice development.

1.2 Scope of the Document

This document is a summary of the findings of the research done through the State of the Practice project. The State of the Practice project was conducted by the CERT CSIRT Development Team. The purpose of the State of the Practice project is to gain a better understanding of the CSIRT structures, functions, and services. Currently, much of the information available about CSIRTs is anecdotal. Our goal is to collect and analyze more empirical data to provide better insight into various CSIRT organizational structures and best practices.

This document is not an attempt to give a comprehensive review of all CSIRTs, CSIRT activities and projects, or CSIRT literature, training, or related legal issues. It is, however, an attempt to provide a general overview of these areas and issues. (In this dynamic environment, it is difficult to keep information up to date.) The findings and information presented here are based on a sampling of CSIRTs done via survey; our own research, interviews, and observation⁶; and input and observations from others in the field.

This document provides information about CSIRTs at a particular point in time--June 2002 through August 2003. Although some of the information is time constrained, the resulting information can still provide useful insights for organizations planning to create or expand an incident response capability or formal CSIRT.

The focus of the document is the collection of data to understand how CSIRTs are structured and how they operate and to determine if there are any trends particular to a certain type of CSIRT or CSIRT sector.

This document does not try to make any recommendations for best practices or processes in day-to-day CSIRT activities. It is simply synthesizing and presenting the information gathered.

This document also does not include a review or discussion of broader security standards such as those from the International Standards Organization (ISO) or British Standards (BS).

1.3 Intended Audience

The primary audience for this document includes the general CSIRT community who may want a better understanding of the structure and functions of existing teams. It will also benefit those individuals and organizations looking to join the CSIRT community. It is specifically targeted at those managers and individuals who are involved in the process of creating and operating a CSIRT or managing incident activity. This may include

Organizational Chief Information Officers (CIOs), Chief Security Officers (CSOs), and Information Systems Security Officers (ISSOs)

project leaders and members charged with creating a team

CSIRT managers

CSIRT staff

IT managers

As well as being a useful reference for higher management levels and all CSIRT staff, this document can also be of use to other individuals who interact with CSIRTs and would benefit from an understanding of CSIRT organizational issues. This may include members of the

CSIRT constituency

law enforcement community

systems and network administrator community

CSIRT parent organization or other departments within the parent organization such as

legal

media or public relations

human resources

audits and risk management

investigations and crisis management

1.4 Use of this Document

This document was developed for use as both a stand-alone document and as a companion document to two other reports from the Software Engineering Institute:

Handbook for CSIRTs, CMU/SEI-2003-HB-002 [West-Brown 03]

Organizational Models for CSIRTs, CMU/SEI-2003-HB-001⁷

As a stand-alone document, this report can be used as an information reference by anyone interested in CSIRT activities. The document also provides information on

the evolution and development of teams

the types and numbers of teams existing today

preliminary statistics on the types of CSIRT structures and processes gathered through the pilot survey

current articles, publications, and training that may be of interest to anyone involved in incident response activities

some current projects that teams may want to join or review

resources that teams may want to use or review

current challenges and issues that are being addressed by the CSIRT community

This document can be used in conjunction with the other two reports mentioned above to provide guidance for teams on the options for organizing and operating a CSIRT. It can be used at the early stage of CSIRT development to provide ideas for organizational structures and service offerings. It can also be used to help gather management buy-in and support and, after support has been gathered, to strategically plan and develop a team. Looking at what existing teams are doing can provide ideas for other teams and help existing teams plan their future growth. It can also be used to provide justification to management for requesting certain resources, funding, and support.

Each team will have its own circumstances, mission, and goals. These three reports provide information on alternatives and options for team operations and organization. None of the reports demand that you follow a particular course of operations.

Use the Handbook for CSIRTs [West-Brown 03] for specific in-depth informational guidance for issues relating to the establishment and operation of a CSIRT. Use Organizational Models for CSIRTs to understand the specific issues to be addressed when determining the model for your CSIRT. Use the State of the Practice report for examples of what other teams are doing and as an information resource and overview of CSIRT processes, structures, and resources.

1.5 Document Structure

The remainder of this document is organized as follows:



Section 2	Overview of what a CSIRT is and why it is beneficial; description of the types of CSIRTs and the history of CSIRTs

Section 3	Overview of the state of the practice of CSIRTs

Section 4	Summary of the state of the practice of CSIRTs and what is still missing; discussion of any noteworthy special topics resulting from the research

Section 5	Discussion of future work that can be done based on this report

Section 6	Where to get more help, where to read more, where to continue

Appendix A	CSIRT Organizational Survey

Appendix B	Comparison of incident response steps and processes

Appendix C	Training resources for CSIRTs

Appendix D	Cyber law resources

Appendix E	Sample incident reporting forms, templates, and flowcharts

1.6 About the Survey

The CERT CSIRT Development Team worked with other members of the CMU community to construct a pilot survey to collect information about the current organizational processes and structures of CSIRTs. The survey was distributed during June through August 2002. The survey was an informal method of collecting information (no scientific sampling was done). The number of surveys collected did not constitute a statistical sample, so the results cannot be reviewed in such a light. However, the results did provide some interesting data that is shared in this report. The CERT CSIRT Development Team plans to continue to collect data through the use of an improved survey over the next few years.

Results from the 29 surveys collected as of the writing of the report have been incorporated into various sections of this report. The contents of the survey can be viewed in Appendix A.

The pilot survey was completed by a broad spectrum of CSIRTs across many countries and sectors. The majority of the CSIRTs participating in the survey were from the United States (38%) and Europe (34%). Other geographic areas represented were South America and the Asia Pacific region. The total number of countries that participated in the survey was 12. There were a few teams who stated that they were a global organization rather than representing one country.

Figure 2: Demographics of CSIRT Survey Participants

The majority of the CSIRTs were from the military (28%) and education (21%) sectors. Other sectors represented were communication and information (14%), non-profit (14%), banking and finance (7%), law enforcement (3%), public administration (3%), and other commercial organizations (10%).

The participating CSIRTs also represented teams that had been in operation for over two years (62%) and those who were just starting⁸ (21%). The modal⁹ years of operation for the CSIRTs participating were four to six years (34%). The rest fell into the one to two year range (28%) and the seven to eight year range (17%).

Only 17% of the participating CSIRTs stated that their CSIRT was located across multiple countries. The number of countries that these CSIRTs were distributed across ranged from 2 to 103. The CSIRT located in 103 countries was in the banking and finance sector.¹⁰

1.7 About the Literature Search

In 1988, when the CERT Coordination Center (CERT/CC) was established, there was not much information available that described incident response or incident handling in detail. The good news today is that there is a growing body of literature that is available and that can be easily found using your favorite web search engine. (For example, at the time we were writing this document, a search on incident response provided about 15,000 links--some were duplicates, others were pointers to bookstores, sites, articles, and other references on this topic.) The more challenging task is sifting through all this data to find information that meets your specific requirements for incident handling operations and building a CSIRT capability.

In our literature review for this state of the practice, we examined books, white papers, articles, guidelines, procedures, and other similar information and research available on the web and in print.

Our examination of the literature identified a few broad-based observations that will be of interest to new or existing CSIRTs to further increase their overall knowledge and understanding of incident handling, team responsibilities, team composition, and policy and procedure issues:

There is a growing base of anecdotal and case study information appearing in print about not only the formation and organization of CSIRTs, but also on the general types of activities these teams undertake and how they perform them.

More information is available about the management and costs related to building and operating incident response teams.

There are some common functions suggested for incident response activities within a CSIRT--even if these functions are "grouped" somewhat differently across the literature.

There are many similarities in CSIRT processes; however, within the day-to-day operations of a CSIRT, the way in which these processes are implemented and the depth and breadth of the services that are provided may be very different.

Many of the resources we reviewed provided various levels of detail on approaches for handling incidents. A number of them also provided information about

defining incident response and other terminology

developing an incident response plan

identifying issues and steps in forming a computer security incident response team

defining mission, goals, operations, and responsibilities

identifying services and level of support

determining the constituency base

documenting policies and procedures

tracking and tracing incidents

performing computer forensic analysis

Many of the resources also include

general trends in incident handling and intruder attacks

example case studies and other CSIRT stories

sample templates, checklists, process guides, or flowcharts related to incident handling

Where appropriate, these resources and any trends, commonalities, or processes extracted from them were included in this document.

¹ A formalized team is a capability where identified staff have been given the responsibility for both reactive and proactive CSIRT work.

² An ad hoc team is a team called together to handle an incident as it occurs. It is more reactive in nature.

³ The different types of CSIRT organizational models are described in the SEI handbook CMU/SEI-2003-HB-001, Organizational Models for CSIRTs, which will be published in the fall of 2003.

⁴ Artifacts are basically the remnants of an intruder attack or activity. For example, malicious code or toolkits found on a compromised system would be considered artifacts.

⁵ If you are interesting in adding to the general knowledge of CSIRTs by filling out a survey, you can request a copy via email from csirt-info@cert.org.

⁶ All contributions were provided voluntarily.

⁷ Organizational Models for CSIRTs will be published in the fall of 2003.

⁸ In operation for less than one year.

⁹ Modal in this case means the most frequently reported.

¹⁰ In talking to other corporate CSIRTs, it was often the case that those that support multinational corporations have distributed teams in each country where their branch offices are located.