Handbook for Computer Security Incident Response Teams ...

1 Handbook for Computer Security Incident Response Teams (CSIRTs) Moira J. West-Brown Don Stikvoort Klaus-Peter Kossakowski Georgia Killcrece Robin Ruefle Mark Zajicek First release: December 1998 2nd Edition: April 2003 Handbook CMU/SEI-2003-HB-002 Pittsburgh, PA 15213-3890 Handbook for Computer Security Incident Response Teams (CSIRTs) CMU/SEI-2003-HB-002 Moira J. West-Brown Don Stikvoort Klaus-Peter Kossakowski Georgia Killcrece Robin Ruefle Mark Zajicek First release: December 1998 2nd Edition: April 2003 Networked Systems Survivability Program Unlimited distribution subject to the copyright. The original version of this Handbook was provided with funding from the following organizations: National Science Foundation (NSF); SURFnet bv; SURFnet ExpertiseCentrum bv; M&I/STELVIO bv; German Federal Ministry of Education, Science, Research and Technology (Bundesministerium fuer Bildung, Wissenschaft, Forschung und Technologie); Verein zur Foerderung eines Deutschen Forschungsnetzes (DFN-Verein).

2 Funding for the revised edition of this Handbook was provided by the Software Engineering Institute. This report was prepared for the SEI Joint Program Office HQ ESC/DIB 5 Eglin Street Hanscom AFB, MA 01731-2116 The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of scientific and technical information exchange. FOR THE COMMANDER Christos Scondras Chief of Programs, XPK This work is sponsored by the Department of Defense. The Software Engineering Institute is a federally funded research and development center sponsored by the Department of Defense. Copyright 2003 by Carnegie Mellon University. NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL.

3 CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder. Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works. External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI Licensing Agent. This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site ( ).

4 CMU/SEI-2003-HB-002 i Table of Contents Preface to the Second Edition ..ix Preface to the First Edition ..xi Acknowledgements ..xiii 1 Introduction ..1 Scope of the Document ..4 Intended Use of This Document ..6 Document 2 Basic CSIRT Mission Statement ..10 Place in Organization ..17 Relationship to Other Teams ..19 Service and Quality CSIRT Services ..23 Service Service Descriptions ..25 Selection of Services ..34 Information Attributes ..39 Content ..40 Validation ..41 Implementation, Maintenance, and Quality Assurance ..42 Definition of a Quality System ..43 Checks: Measurement of Quality Parameters ..45 ii CMU/SEI-2003-HB-002 Balances: Procedures to Assure 47 Constituents View of Quality.

5 48 Adapting to Specific 48 The Need for Flexibility .. 50 Legal Issues .. 51 Institutional Regulations .. 58 3 Incident Handling Service .. 61 Service Description .. 61 Objective .. 62 Definition .. 63 Function Descriptions .. 64 Availability .. 65 Quality Assurance .. 65 Interactions and Information 66 Interfaces with Other Services .. 66 Priority .. 66 Service Functions 67 Triage Function .. 69 Use of Tracking Numbers .. 70 Use of Standard Reporting Forms .. 73 Preregistration of Contact Information .. 75 Handling Function .. 76 Incident Life Cycle .. 77 Incident Analysis .. 79 Tracking of Incident 91 Announcement 92 Announcement 93 A Priori 95 Announcement Life 97 Feedback 100 Interactions .. 102 Points of Contact .. 103 106 Secure Communication .. 109 Special 110 Information Handling ..119 Information 119 Information 120 Information 121 Information Storage.

6 122 Information Sanitizing and 123 CMU/SEI-2003-HB-002 iii Prioritization Escalation Information Disclosure ..132 4 Team Operations ..137 Fundamental Policies ..141 Code of Information Categorization Information Disclosure Policy ..144 Media Policy ..148 Security Policy ..149 Human Error Continuity Continuity Workflow Management ..155 Out-Of-Hours Coverage ..157 Off-Site Coverage ..159 Security Staff CSIRT Hiring Staff ..169 Arrival and Exit Training Staff ..172 Retaining Staff ..174 Extension of 5 Closing Remarks ..177 Closing Remarks from the First Closing Remarks for the Second Edition ..178 Appendix A: About the Authors ..181 Appendix B: Glossary ..187 iv CMU/SEI-2003-HB-002 CMU/SEI-2003-HB-002 v List of Figures Figure 1: CSIRT Within an Organization.

7 18 Figure 2: CSIRT Peer Figure 3: Service and Quality Framework as Derived from Mission Figure 4: Incident Handling Service Figure 5: CERT/CC Incident Handling Life Cycle ..77 Figure 6: CERT/CC Code of vi CMU/SEI-2003-HB-002 CMU/SEI-2003-HB-002 vii List of Tables Table 1: Examples of CSIRT Types With Associated Missions and Constituencies12 Table 2: Possible Authority Relationships Between a CSIRT and Its Constituency15 Table 3: Service Description Table 4: List of Common CSIRT Services ..25 Table 5: Examples of Possible Information Flow to and from the Incident Handling Service ..37 Table 6: Basic Policy Attributes ..40 Table 7: Policy Content Features ..41 Table 8: Examples of Dynamic Environment Factors and Their Impact on CSIRTs50 Table 9: Examples of Liability Issues Arising From Omission.

8 56 Table 10: Examples of Liability Issues Arising From the Content of Signed Table 11: Examples of Liability Issues Arising From Information Disclosure ..57 Table 12: Range of Possible Incident Handling Service Objectives Based on Differing Team Table 13: Possible Instantiations of Handling Function Table 14: Analysis Depth Factors ..82 Table 15: Notable Characteristics of Log Files ..83 Table 16: Incident Tracking Table 17: Possible Inter-Team Support 113 Table 18: Considerations for Information Sharing .. 113 viii CMU/SEI-2003-HB-002 CMU/SEI-2003-HB-002 ix Preface to the Second Edition We have often been asked whether an updated version of the CSIRT Handbook would ever be released.

9 Periodically we have reviewed the document and found that most of the material and guidance provided are still current, relevant, and helpful to new and existing Teams . Some of the examples included and organizations discussed were dated, but otherwise the concepts and recommendations covered are still valid for today s work. In the summer of 2002, the CERT CSIRT Development Team began collaboration with the Trusted Introducer for European Computer Security Incident Response Teams (CSIRTs) service to create a standard set of service descriptions for CSIRT functions. As we finished that document1 it became apparent that we should, indeed, update the CSIRT Handbook to include this new list of services. As we began to revise the document we felt it was also time to update any out-of-date examples and also any out-of-date terminology . We also included, where appropriate, references to new discussion topics, resources, or CSIRT operational activities that we believe are relevant to the information discussed in this Handbook .

10 In the long run though, we elected to minimize the changes to the original as much as possible. These are the main changes that have been made: 1. Many of the examples provided in the Handbook have been updated. We have kept a number of the previous examples, as they are still true conceptually and the guidance available still proves to be useful today. More recent examples have been added that we hope will be more applicable for today s readers. 2. The new CSIRT service definitions have been incorporated throughout the Handbook . 3. The Handbook has been aligned with other new documents that we have produced or are in the process of producing, specifically the new Organizational Models for CSIRTs Handbook . This document is a companion piece to the CSIRT Handbook . It provides detailed information on the types of organizational structures and corresponding services that may be implemented to provide a CSIRT capability. We have timed the release of this updated version of the CSIRT Handbook with the publication of the Organizational Models for CSIRTs Handbook .