Forming a Computer Security Incident Response Team (CSIRT) is a complicated affair. It involves a certain combination of staff, processes and technologies.
Luckily, numerous incident management frameworks are available for the rescue. They all aim to provide a structured approach for establishing incident response teams in your organisation.
This post provides a general overview of the most popular incident management frameworks.
Classic Incident Management Frameworks
The following standards elaborate the process of setting up and operating CSIRTs. They help build customer as well as internal facing incident responder teams, serving single or multiple organisations.
However, take advice from the listed frameworks with a grain of salt. As they were written before APT-style attacks, they mainly follow the slightly outdated linear process (preparation, identification, containment, eradication, recovery, lessons learned). Scroll down to the next section for a list of modern frameworks.
The ISO (aka. BSI) framework provides a structured approach to detect, respond, report and learn from security incidents.
You may find the framework excessively rigid and formal. Unless the goal is total ISO compliance, I will consider to take the good ideas from standard and tailor them to the organisation’s needs.
The standard also provides a formal template for publishing the list of services and contact details of your CSIRT. The filled-in document should be publicised either internally or externally.
Probably one of the most cited standard in the incident management governance arena. It defines the governing policy framework around incident response, the list of services a CSIRT may provide. It also collects the common information flows from/to the CSIRT.
Because the handbook considers the CSIRT’s constituents as clients, whose satisfaction is paramount, the guidance is also concerned with quality assurance matters. The manual also deals with loosely connected issues as hiring and training.
The standard lists the necessary documents such as written policies and incident response plans. Like the CERT Handbook above, the NIST framework also collects the typical information flows as well as defines the ideal lifecycle of the incidents.
The framework is mainly concerned with demonstrating the business value of having a CSIRT and the team’s place in the existing organisational structure.
The ENISA guide frequently cites practical examples, which makes the document relatively easy to read. It has been translated into 25 different languages.
This guide is the counterpart of the CSIRT Setting Up Guide from above. It describes good practices and provides practical information and guidelines for the management of information security incidents. It also comes with a lot of examples and templates.
It briefly demonstrates the benefits of having an incident response team. The white paper also defines the phases of the incident lifecycle, the associated information security strategies and other governance activities. Finally, it justifies the presence of the IR function by linking it to the relevant COBIT control objectives.
Modern Frameworks for the Age of APT
APT-style attacks involving targeted attacks, AV evasion, Powershell-based backdoors, advanced beacons is a relatively new area. Therefore, incident response practices are rapidly changing here, and the formal frameworks have not caught up yet. The following section is a weak attempt to collect them.
Another framework from ISACA. This publication, however, takes a more tactical approach to focusing on the defences against APT activities.
The document elaborates the essential capabilities, besides standardises the detection and response techniques. The framework was developed together with Ernst & Young.
Yeaaaah, if you could write a framework…
And the list of modern frameworks ends here. Information on current incident management practices is scattered across blogs, conference slides, YouTube videos and whitepapers.
Here is a non-exhaustive list of materials to follow:
- DFIR Blog
- @srobert’s blog
- DFIR Slack Community
- DFIR mailing list
- SANS DFIR blog
- Iron Bastion Security Blog
- When threat intel met DFIR
- Kill chain
- The diamond model
- Anton Chuvakin’s personal and work blog
- Activeresponse.org blog
- Taking CSIRT to the next level
- MITRE: Ten Strategies of a World-class Cybersecurity SOC
- SANS: Building a world-class SOC
- How To Build And Run A SOC for Incident Response – A Collection Of Resources
- McAfee: Creating and Maintaining a SOC
What are your favourite resources? Let us know in the comments below!
Incident Management Maturity Models
The following frameworks help to measure the current maturity level of the incident response capabilities in your organisation.
A maturity model that helps to assess the current level of capabilities of Incident Response Teams. It presents the next maturity level and helps identify the necessary steps to reach that.
A comprehensive model based on a checklist approach. This benchmark can be used to assess how an organisation’s current incident management capability is defined, managed, measured, and can be improved.
The MRD-IMC method is a risk-based approach for assessing which incident management function achieves its mission and objectives.
Hunting is an ongoing activity where analysts actively scanning the infrastructure for indicators for compromise. There are different levels of hunting spanning from non-existent to full automation.
Image courtesy of Benoit photography