Building A CSIRT: Incident Management Frameworks

Building A CSIRT Incident Management Frameworks


Building an effective Computer Security Incident Response Team (CSIRT) requires more than just the right people, but also the correct structure. When building and maintaining an Incident Response Team a set of regulations and frameworks should be followed. Frameworks give guidance and a methodology for building an incident response team with an organization. Fortunately, there are multiple frameworks available as resources to establishing a productive Incident Response Team. Below is a list of incident management frameworks available.

  1. ISO/IEC 27035-1:2016: Information Security Incident Management
  • This framework was released in 2016 and is set for an update in 2021 and has two parts to it.
  • Part One: Principles of Incident Management contains five phases
    • Plan and prepare for incidents;
    • Detection and Reporting: All events that can turn into incidents should be reported
    • Assessment and Decision: An analyst must assess if the reported event is, in fact, an incident
    • Response: Contain and recover from the incident. Analyze the incident as needed.
    • Lessons Learned: After the incident, make improvements as needed
  • Part Two: Guidelines for planning and preparing for incident response.
    • This part offers assistance on planning and preparing for incidents and has 8 lessons. Lessons include: establishing an information security incident management policy, creating an incident management plan, creating a CSIRT team.
  • It only provides guidance to large and medium-sized corporations. Smaller organizations and guidance for groups trying to shape their services are an afterthought.
  • Rigid, inflexible standard.
  1. SANS: Creating and Managing an Incident Response Team
  • This incident management framework is for large-sized companies, does not detail the creation of managed services.
  • Included in the IR framework are provisions for what type of passive actions can be taken such as vulnerability scanning and active action such as vulnerability management. The scope is larger than management level responsibilitiesand more technical.
  • Sample policies are provided for this framework that can be used to model an IR plan.
  • Phases of this plan are:
    • Identification
    • Triage Roles
    • Identification Tasks
    • Containment
    • Eradication
    • Recovery
    • Lesson Learned/Reflection
  • Proper CSIRT team creation guidelines are presented.
  1. RFC 2350: Expectations for Computer Security Incident Response
  • This document is from 1998, therefore outdated and not recommended this be used. This provides a very simple overview of an incident response plan. Topics are lightly touched upon. What this framework does provide of value is that it provides someone with a brief, copy-ready outline for incident response. It has almost all the sections a modern IR plan would contain except it would require a considerable amount of adaptation.
  1. CERT: Handbook for Computer Security Incident Response Teams (CSIRTs)
  • This handbook is an overall complex, detailed framework for IR plans of any size. Due to this it can be used to shape managed services for organizations willing to conduct IR assessments that include providing detailed plans. Out of all the frameworks assessed, only the NIST framework is comparable to this one. To note, sections 2.2 and 2.3 provide in depth information as to how to shape a CSIRT as a service. 2.3 goes further by detailing what each service is composed of.
  1. NIST 800-61: Computer Security Incident Handling Guide
  • This document is short but detailed on the processes of an IR plan. For small to medium-sized businesses, the NIST framework could be applied whereas it is not entirely adequate for large enterprises. The policies promoted and team structures presented fit perfectly for a medium-sized organization. This document also details possible services that can be modeled into comprehensive offered services but the selection is not deep. Their recommendations section promotes key performance indicators to help an organization specify its plan as well.
  • The NIST framework is organized as follows:
    • Preparation
    • Detection and Analysis
    • Containment, Eradication and Recovery
    • Post – Incident Activity
  • What the phases show primarily is how a number of the previous IR plans have modeled their phases by removing and adding from this base framework as this is the standard. Use of the NIST framework is guaranteed to provide an organization an entry-level solution to IR; as in just the Detection and Analysis section, we can see a listing of not only popular attack vectors but the subsequent methods that associate with each type.
  • Overall, the NIST framework stands out for simplicity and depth at the same time.

6. ENISA: CSIRT Setting up Guide

  • This document provides great value as it provides all the information in an easy to digest format with templates to follow. In a sense, this document while educational, might not be the best one to follow as it provides a broad, non-technical overview.
  • The value in this document is the models under section 6 in which they provide organization models that detail specific use scenarios. The other added value that this provides which the others do not as much is the international viewpoint as this is a document from the European Union.
  • The ENISA excels at a general international overview for its IR plan though it falls short of an effective, specific application.
  1. ENISA: Good Practice Guide for Incident Management
  • This guide is essentially the expansion of the previous document’s shortcomings. It goes into further detail on all of the areas their incident response setup did not fill in. Whereas the previous document lacked actual implementation strategy, this guide shapes an organization’s IR plan with the international view in a comprehensive way. Standout sections include “Roles” and “Workflow”. Roles due it’s detail as to what each position should do in practicality and Workflow for its depth on what each stage of the model accomplishes. The stages of this model are interestingly different from the traditional models we have seen, mostly due to the European Union applications. For this document the stages are as follows:
    • Detection
    • Triage
    • Analysis
    • Incident Response
  • The sections are easy to follow, and more detailed tool usage is shown. This guide should be used as a main resource but not the only document to be used when crafting a CSIRT for an organization as the document leans towards governmental applications. Even detailing how national and international cooperation should be done.
  1. ISACA: Incident Management and Response
  • The ISACA incident response framework is not detailed in the document presented. Instead, readers are provided an extremely general overview of incident management, incident response, and the overall management level view of both. As presented, it is not recommended that someone use this document to shape their potential incident response plan as it is a whitepaper. Though the paper does mention in an easy to digest form as to how the COBIT 4.1 standard can be made into an effective IR plan. References for this paper come from the Carnegie Mellon paper we previously discussed.
  1. ISACA: Responding to Targeted Cyberattacks
  • The ISACA framework presented here is by far the most current. No other framework reviewed has detailed a modern attack. In fact, it is the only one to use the modern term “Advanced Persistent Threat”. The detail of the document is also in-depth on many areas such as in evidence handling, where the preferred actions to take align with the method many forensics companies use. The methodology used here is:
    • Preparation
    • Investigation
    • Eradication
    • Post-Eradication
  • Although this framework presented is the most recent. It is no surprise that it is also the most capable along with Carnegie Mellon’s framework. The framework goes as far as providing templates for each step that are relevant and can be used with little to no modifications.

These frameworks are great tools to follow for any CSIRT and can assist in guiding your organization effectively. The list of frameworks above are all unique and are useful in their own ways.



LIFARS Incident Response Team