D: Detect Events Workflow Description

Mission/Objectives Triggers Completion Criteria

• To identify unusual activity that might compromise the mission of the CSIRT constituency and/or the CSIRT

− within defined time constraints

− while handling information within the appropriate security context

• When suspicious or unusual activity is noticed

• When advisories, alerts, and other information reports or requests arrive

• When a decision about an event is made (i.e., forward to T: Triage Events, reassign to other processes, or close)

• When outputs are ready to be passed to the next process

Inputs

Input Description Form

General indicators This information includes the following security-related items: (1) suspicious or unusual activity noticed by internal and external sources and (2) data proac-tively gathered by the CSIRT, including log information, computer security news, and current events.

Verbal, electronic, or physical

Event reports This includes reports of unusual or suspicious activity to the CSIRT identified during infrastructure evaluations performed as part of PI: Protect Infrastructure.

Event reports received from PI: Protect Infrastructure can include the following security-related items: specific signs of intrusion, configuration errors, and arti-facts.

Verbal, electronic, or physical

General requests/reports

This includes non-incident information (e.g., general information about CSIRT, general security questions, speaker requests).

Verbal, electronic, or physical

CMU/SEI-2004-TR-015 101

Policies and Rules General Requirements

• CSIRT/IT policies

• Security-related regulations, laws, guidelines, standards, and metrics

• Organizational security policies

• Organizational policies that affect CSIRT operations

• Reporting requirements (critical infrastructure protection, government, financial, academic, military)

• Designated personnel use appropriate procedures, technology, and office space when secure handling of event information is required.

• Designated personnel receive appropriate training in procedures and technologies related to the tasks they are required to perform.

• Designated personnel document and track results in accordance with CSIRT and organizational policies.

• Periodic quality assurance checks are performed on automated tools.

• Designated personnel use appropriate procedures and security measures when configuring and maintaining automated tools.

Outputs

Decision Output Description Form

Event requires further incident management action (i.e., event is sent to T: Triage Events)

Event information This includes all information that is passed to T: Triage Events for a given event. It can include the reported information and general indicators received by D: Detect Events, any preliminary analysis performed on the information, and the decision ration-ale for forwarding the information to T: Triage Events.

Verbal, electronic, or physical

Event is reassigned outside of the incident management process

Reassigned events This includes all information related to an event that has been reassigned outside of the incident handling process. It can in-clude the reported information and general indicators received by D: Detect Events, as well as any preliminary analysis per-formed on the information. It can also include the rationale for reassigning the event.

Verbal, electronic, or physical

Event is closed Closed events This includes all information related to an event that has been closed. It can include the reported information and general indi-cators received by D: Detect Events, as well as any preliminary analysis performed on the information. It can also include the rationale for closing the event.

Verbal, electronic, or physical

102 CMU/SEI-2004-TR-015

Subprocess Subprocess Requirements Written Procedures

D1: Notice Events (Reac-tive)

• Designated personnel notice suspicious or unusual activity and report it to the CSIRT.

• Trusted external groups send advisories and alerts to the CSIRT.

Inputs Outputs

• General indicators* • Event reports

• Designated personnel follow incident reporting guidelines for reporting information to the CSIRT.

• Trusted external groups follow operational procedures and watch procedures for reporting

information to the CSIRT.

D2: Receive Information • Designated personnel review reports, verify them, and decide what to do with them (i.e., forward to T: Triage Events, reassign to other processes, or close).

• Automated tools receive reports and forward them to T: Triage Events.

• General requests/ reports*

• Event information*

• Reassigned events*

• Closed events*

• Designated personnel follow report collection procedures for reviewing and verifying reports and deciding what to do about them.

• Designated personnel follow appropriate procedures for reassigning and closing events.

• Automated tools are designed to follow report collection procedures for receiving and forwarding reports.

D3: Monitor Indicators (Proactive)

• Designated personnel proactively monitor a variety of sources for indications of potential events (e.g., log information, computer security news, current events).

• Automated tools monitor systems and networks for general indicators.

Inputs Outputs

• General indicators* • Event indicators

• Designated personnel follow operational procedures for monitoring and reviewing general indicators.

• Automated tools are designed to follow operational procedures for monitoring systems and networks for general indicators.

D4: Analyze indicators • Designated personnel review and analyze event indicators and decide what to do with the information (i.e., forward to T: Triage Events, reassign to other processes, or close).

• Automated tools analyze event indicators and determine when to forward them to T: Triage Events.

Inputs Outputs

• Event indicators • Event information*

• Reassigned events*

• Closed events*

• Designated personnel follow operational procedures for reviewing and analyzing event indicators and deciding what to do with them.

• Designated personnel follow appropriate procedures for reassigning and closing events.

• Automated tools are designed to follow operational procedures for analyzing event indicators and determining when to forward them to T: Triage Events.

Note: An asterisk (*) after an input to or an output of a subprocess indicates that it is also an input to or an output of the overall process. When an input to or an output of a subprocess is not followed by an asterisk, it indicates that the input or output is internal to the process.

CMU/SEI-2004-TR-015 103

Key People Technology Other/Miscellaneous

• Designated personnel for noticing and reporting events can include

− CSIRT

− CSIRT constituency

− victim or involved sites

− general external groups (third-party reporters, MSSPs, media, law enforcement)

− trusted external groups (other CSIRTs, vendors, etc.)

− IT staff (e.g., NIC staff, NOC staff, SOC staff, system and network administrators)

− coordination center

• People can use the following technology when noticing and reporting events:

− security tools (e.g., IDS, encryption)

− desktop workstations

− communication channels, encrypted when appropriate (email, videoconferencing, groupware, web)

•

---• Designated personnel for receiving reported information can include

− help desk staff

− CSIRT triage staff

− CSIRT hotline staff

− CSIRT manager

− incident handlers

− information security officer

− system and network administrators

− third-party answering service

− coordination center

• Designated personnel can use the following technology when receiving, reviewing, and deciding what to do about reported information:

− security tools (whois, port number lists, encryption, etc.)

− communication channels, encrypted when appropriate (email, videoconferencing, groupware, web)

− database system

− decision support tools

• Automated receiving and forwarding tools can be used to automatically receive events and forward them to T: Triage Events.

• ---

• Designated personnel for proactive monitoring can include

− IT staff (e.g., NIC staff, NOC staff, system and network administrators)

− selected members of the CSIRT staff

− third parties (e.g., regulatory bodies, MSSPs, collaborators, ISPs, trusted SMEs)

− coordination center

• Designated personnel can use the following technology when monitoring for general indicators:

− security tools (e.g., IDS, vendor applications)

− data manipulation tools

− Internet search engines

− communication channels, encrypted when appropriate (e.g., email, mailing lists, newsgroups, web)

− database/archive system

• Automated detection agents or sensors can be used to automatically monitor systems and networks for general indicators.

• ---

• Designated personnel for analyzing indicators can include

− IT staff (e.g., NIC staff, NOC staff, system and network administrators)

− selected members of the CSIRT staff

− third parties (e.g., regulatory bodies, MSSPs, collaborators, ISPs, trusted SMEs)

− coordination center

• Designated personnel can use the following technology when reviewing, analyzing, and deciding what to do about event indicators:

− communication channels, encrypted when appropriate (email, videoconferencing, groupware, web)

− database system

− decision support tools

− knowledge bases (e.g., CERT/CC, CVE³⁰)

• Automated detection agents or sensors can be used to automatically analyze event indicators and determine when to forward them to T: Triage Events.

• ---

30 Common Vulnerabilities and Exposures, http://www.cve.mitre.org/.

104 CMU/SEI-2004-TR-015

4.2.3.6 Handoff from Any Activity Inside or Outside of the Organization

In document Defining Incident Management Processes for CSIRTs: A Work in Progress (Page 120-124)