R: Respond Workflow Description

\]

Mission/Objectives Triggers

• To resolve events and incidents

− within defined time constraints

− while handling information appropriately (e.g., within security, legal, and investigative contexts)

− according to established policy, procedures, and quality requirements

• When assigned events arrive

Inputs

Input Description Form

Assigned events This includes all information that is passed to R: Respond for a given event. It can include event information received by T: Triage Events, the event’s cate-gory and priority, and assigned responsibility for incident handling.

Some events may be identified as incidents during T: Triage Events, while other events are passed to R: Respond for further evaluation.

Verbal, electronic, or physical

CMU/SEI-2004-TR-015 135 Completion Criteria Policies and Rules General Requirements

• When technical, management, and legal responses are complete (e.g., no further response actions remain, the event or incident is closed, or the event or incident is reassigned outside of the incident handling process) Note: The technical, management, and legal responses might not close at the same time.

• CSIRT/IT policies

• Organizational security policies (including HR and PR)

• Security-related regulations, laws, guidelines, standards, and metrics

• Organizational policies that affect CSIRT operations

• Reporting requirements (critical infrastructure protection, government, financial, academic, military)

• Designated personnel use appropriate procedures, technology, and office space when secure handling of event information is required.

• Designated personnel receive appropriate training in procedures and technologies related to the tasks they are required to perform.

• Designated personnel document and track results in accordance with CSIRT and organizational policies and procedures.

• When an event is part of an incident that has previously been closed, designated personnel can reopen the closed incident if appropriate.

Outputs

Decision Output Description Form

Response information This includes all relevant response-related data tai-lored for a specific audience (e.g., for a postmortem, for stakeholders, for other organizational personnel).

Verbal, electronic, or physical

A postmortem review of the incident is required Internal and external stakeholders need to be notified

Response is reassigned outside of the incident management process

Response actions and decisions

This includes the following data about the response:

• technical, management, or legal actions taken

• technical, management, or legal decisions made

Verbal, electronic, or physical

A postmortem review of the incident is required

Proposed CSIRT process changes

This includes projected modifications to an existing CSIRT process. When the decision to conduct a post-mortem is made, proposed CSIRT process changes are forwarded from R: Respond to PC: Pre-pare/Sustain/Improve.

Verbal, electronic, or physical

Event is reassigned outside of the incident management process

Reassigned events This includes all information related to an event that is reassigned outside of the incident management proc-ess. It can include information received by

R: Respond, any preliminary analysis performed on the information, and the rationale for reassigning the event. When applicable, it can also include the re-sponse strategy, as well as any actions and decisions made during the response.

Verbal, electronic, or physical

Response documenta-tion

This includes all information related to the response. It is recorded once the response is complete.

Electronic or physical The response is

com-plete

Formal notification of closure

This is an official notice to everyone who participated in the response that it is complete.

Verbal, electronic, or physical

136 CMU/SEI-2004-TR-015

Subprocess Subprocess Requirements Written Procedures

R1: Respond to Technical Issues

• Designated personnel analyze each event and plan, coordinate, and execute the appropriate technical response across involved sites and other relevant parties.

• Designated personnel decide that the technical response is complete, all appropriate personnel are notified, and the incident is closed.

• Automated tools execute preplanned technical responses when appropriate.

Inputs Outputs

• Assigned events* • Technical response information*

• Technical response actions and decisions*

• Technical response documentation*

• Reassigned events*

• Designated personnel follow incident handling procedures when analyzing, planning, coordinating, and responding to events.

• Designated personnel use predefined guidelines when responding to specific types of events.

• Designated personnel follow appropriate procedures for closing incidents.

• Automated response tools are designed to execute preplanned technical responses for specific types of events or incidents.

R2: Respond to Management Issues

• Designated personnel analyze each event and plan, coordinate, and execute the appropriate management response.

• Designated personnel decide that the management response is complete, all appropriate personnel are notified, and the incident is closed.

• Designated personnel trigger a legal response when appropriate.

Inputs Outputs

• Assigned events* • Management response information*

• Management response actions and decisions*

• Management response documentation*

• Reassigned events*

• Designated personnel follow

organizational procedures (e.g., project management, IT governance, policy management) for coordinating and responding to events.

• Designated personnel follow appropriate procedures for closing incidents.

• Designated personnel follow human resource procedures when dealing with staffing issues.

• Designated personnel follow PR procedures when dealing with media issues.

• Designated personnel follow risk and audit procedures when dealing with liability and compliance issues.

• Designated personnel follow quality assurance procedures when dealing with quality issues.

R3: Respond to Legal Issues • Designated personnel analyze each event and plan, coordinate, and execute the appropriate legal response regarding legal advice, investigation, and prosecution.

• Designated personnel decide that the legal response is complete, all appropriate personnel are notified, and the incident is closed.

Inputs Outputs

• Assigned events* • Legal response information*

• Legal response actions and decisions*

• Legal response documentation*

• Reassigned events*

• Designated personnel follow appropriate guidelines and procedures, regulations, and laws when

− providing legal advice

− conducting investigations

− collecting evidence

− prosecuting perpetrators

• Designated personnel follow appropriate procedures for closing incidents.

Note: An asterisk (*) after an input to or an output of a subprocess indicates that it is also an input to or an output of the overall process. When an input to or an output of a subprocess is not followed by an asterisk, it indicates that the input or output is internal to the process.

CMU/SEI-2004-TR-015 137

Key People Technology Other/Miscellaneous

• Designated personnel for responding to technical issues can include

− CSIRT staff

− CSIRT manager

− IT staff (system and network administrators)

− security staff (physical and cyber)

− SMEs/trusted experts

− information security officer

− vendors

− other CSIRTs

− ISPs/network service providers

− CSIRT constituency

− victim or involved sites

− coordination center

• Designated personnel can use the following technology when responding to technical issues:

− security tools (e.g., log analysis tools, event monitoring tools, antivirus tools, file integrity checkers, vulnerability scanning tools, DNS query tools, whois, port number lists, forensics and other investigative tools)

− infrastructure components (firewalls, intrusion detection systems, routers, filters)

− knowledge bases (CERT/CC, CVE)

− system and network administration tools (tools for configuration management, patch management, and user management)

− incident handling database/tracking system

− communication channels, encrypted when appropriate (email, mailing lists, newsgroups, web, XML RSS channels, automated call distribution system)

• Automated response tools can be used to automatically execute a preplanned technical response.

• Periodic quality assurance checks are performed on automated tools.

• Designated personnel use appropriate procedures and security measures when configuring and maintaining automated tools.

• Designated personnel can recategorize and reprioritize incidents when appropriate.

• Designated personnel for responding to management issues can include

− upper management of the CSIRT constituency, business and functional units, IT management, etc.

− CSIRT manager

− HR staff

− PR staff

− auditors, risk management staff, compliance staff

− SMEs/trusted experts

− victim or involved sites

− coordination center

• Designated personnel can use the following technology when responding to management issues:

− communication channels, encrypted when appropriate (email, videoconferencing, groupware, web)

− decision support tools

• Designated personnel use executive and technical summaries as aids in decision making.

• Designated personnel can recategorize and reprioritize incidents when appropriate.

• Designated personnel for responding to legal issues can include

− legal counsel for constituency and CSIRT

− inspectors general

− attorneys general

− law enforcement (state, local, federal, international)

− criminal investigators

− forensics specialists

− victim or involved sites

• Designated personnel can use the following technology when responding to legal issues:

− communication channels, encrypted when appropriate (email, videoconferencing, groupware, web)

− forensics and other investigative tools

− knowledge bases (case law, judicial precedents, laws, regulations, integrated justice systems)

− any technologies that support the legal process

• ---

138 CMU/SEI-2004-TR-015

Subprocess Subprocess Requirements Written Procedures

Coordinate Technical, Management, and Legal Responses

• Designated personnel plan, coordinate, and execute their response by providing advice, developing and

disseminating recommendations, sharing data, and giving directions and assigning actions.

• Designated personnel decide that the coordinated response is complete, all appropriate personnel are notified, and the incident is closed.

Shared Information

• Technical, management, and legal response information*

• Technical, management, and legal response actions and decisions*

Output

• Response information*

• Response actions and decisions*

• Response documentation*

• Reassigned events*

• Designated personnel follow procedures required for technical, management, and legal responses.

• Designated personnel follow appropriate procedures for coordinating technical, legal, and management responses.

• Designated personnel follow information disclosure policies, guidelines, and procedures.

External Communication with Others

• Designated personnel communicate with external parties as part of the response. This communication can include queries for additional information about an incident, recommendations for addressing an incident, information required for coordinating the response with external parties, and required reporting to designated entities.

• Designated personnel follow procedures required for

communicating with external parties.

• Designated personnel follow appropriate procedures for working with external parties.

• Designated personnel follow information disclosure policies, guidelines, and procedures.

CMU/SEI-2004-TR-015 139

Key People Technology Other/Miscellaneous

• Designated personnel for coordinating technical, management, and legal responses can include

− key people involved in the technical, management, and legal responses

• Designated personnel can use the following technology when coordinating technical, management, and legal responses:

− communication channels, encrypted when appropriate (email, phone, fax, XML RSS, videoconferencing, groupware, web)

− data sharing tools, formats, and standards (web, IODEF, XML, IDMEF, CAIF)

− documentation and publication technologies

• ---

• Designated personnel for communicating with external parties can include

− key people involved in the technical, management, and legal responses

− external people who might be involved in the response (e.g., media, other CSIRTs, vendors, SMEs, ISPs, NAPs, MSSPs, law enforcement, ISACs, other compliance organizations)

− people from all involved sites

• Designated personnel can use the following technology when communicating with external parties:

− communication channels, encrypted when appropriate (email, phone, fax, XML RSS, videoconferencing, groupware, web, special reporting systems)

− data sharing tools, formats, and standards (web, IODEF, XML, IDMEF, CAIF)

− documentation and publication technologies

• ---

140 CMU/SEI-2004-TR-015

4.2.5.7 Handoff from R: Respond to PC: Prepare/Sustain/Improve

In document Defining Incident Management Processes for CSIRTs: A Work in Progress (Page 154-160)