State of the Practice of Computer Security Incident Response Teams (CSIRTs) Georgia Killcrece Klaus-Peter Kossakowski Robin Ruefle Mark Zajicek October 2003 TECHNICAL REPORT CMU/SEI-2003-TR-001 ESC-TR-2003-001 Pittsburgh, PA 15213-3890 State of the Practice of Computer Security Incident Response Teams (CSIRTs) CMU/SEI-2003-TR-001 ESC-TR-2003-001 Georgia Killcrece Klaus-Peter Kossakowski Robin Ruefle Mark Zajicek October 2003 Networked Systems Survivability Program Unlimited distribution subject to the copyright. This report was prepared for the SEI Joint Program Office HQ ESC/DIB 5 Eglin Street Hanscom AFB, MA 01731-2116 The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of scientific and technical information exchange. FOR THE COMMANDER Christos Scondras Chief of Programs, XPK This work is sponsored by the U.S. Department of Defense. The Software Engineering Institute is a federally funded research and development center sponsored by the U.S. Department of Defense. Copyright 2003 Carnegie Mellon University. NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder. Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works. External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI Licensing Agent. This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with Carnegie Mel- lon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copy- right license under the clause at 252.227-7013. For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site (http://www.sei.cmu.edu/publications/pubweb.html). Table of Contents Who is the CERT CSIRT Development Team and What Do They Do? ................ix Preface ....................................................................................................................xi Acknowledgements ..............................................................................................xiii Abstract..................................................................................................................xv 1 Introduction .....................................................................................................1 1.1 Purpose of the Document..........................................................................3 1.2 Scope of the Document .............................................................................3 1.3 Intended Audience.....................................................................................4 1.4 Use of this Document ................................................................................5 1.5 Document Structure...................................................................................6 1.6 About the Survey.......................................................................................6 1.7 About the Literature Search.......................................................................8 2 Computer Security Incident Response Teams ............................................11 2.1 What is a CSIRT?.................................................................................... 11 2.2 Types of CSIRTs......................................................................................14 2.3 History and Development of CSIRT Capabilities......................................17 2.3.1 The Early Beginnings...................................................................17 2.3.2 The Creation of FIRST.................................................................20 2.3.3 Europe Becomes Involved ...........................................................21 2.3.4 Initiatives in the Asia Pacific Region.............................................27 2.3.5 Initiatives in Latin America ...........................................................30 2.3.6 Developments in Canada.............................................................32 2.3.7 Developments in the United States ..............................................33 2.3.8 Other Initiatives in CSIRT Development and Evolution ................34 2.3.9 Today’s Activities .........................................................................35 3 Current State of the Practice of CSIRTs.......................................................37 3.1 Number and Type of CSIRTs Today.........................................................37 3.1.1 The Growth of FIRST Teams .......................................................38 3.1.2 Growth in European CSIRTs........................................................39 CMU/SEI-2003-TR-001 i 3.1.3 Total Registered CSIRTs............................................................. 40 3.1.4 CSIRT Growth by General Category ........................................... 42 3.1.5 Other Trends ............................................................................... 46 3.1.6 The Spread of CSIRTs ................................................................ 47 3.2 CSIRT Organizational Structure .............................................................. 49 3.2.1 Constituency................................................................................ 49 3.2.2 Mission........................................................................................ 51 3.2.3 Organizational Placement of the CSIRT ...................................... 51 3.2.4 CSIRT Authority .......................................................................... 53 3.3 Funding and Costs.................................................................................. 54 3.3.1 Funding Strategies ...................................................................... 55 3.3.2 Budgets....................................................................................... 56 3.3.3 Staff Costs................................................................................... 57 3.3.4 The Cost of an Incident ............................................................... 58 3.3.5 Making a Case to Management................................................... 62 3.4 Services.................................................................................................. 65 3.5 Staffing.................................................................................................... 71 3.5.1 Staff Size..................................................................................... 71 3.5.2 Staff Positions ............................................................................. 72 3.5.3 Staff Skills ................................................................................... 76 3.5.4 Staff Burnout ............................................................................... 78 3.6 Training and Certification ........................................................................ 79 3.7 Processes............................................................................................... 81 3.7.1 Defining Computer Security Incidents and Other Incident Response Terminology................................................................ 82 3.7.2 Having a Plan.............................................................................. 84 3.7.3 Incident Handling Process or Methodology.................................. 87 3.7.4 Receiving Incident Data............................................................... 88 3.7.5 Recording and Tracking CSIRT Data .......................................... 89 3.7.6 Categorizing and Prioritizing Incident Reports ............................. 95 3.7.7 Incident Response Processes ..................................................... 98 3.7.8 Computer Forensics Activities ................................................... 100 3.7.9 Answering the CSIRT Hotline .................................................... 102 3.7.10 Hours of Operation .................................................................... 102 3.7.11 Types of Incidents ..................................................................... 103 3.7.12 Number of Incidents .................................................................. 104 3.7.13 Secure Communications Mechanisms Used.............................. 105 3.7.14 Coordination and Information Sharing ....................................... 105 3.7.15 Documenting Policies and Procedures ...................................... 108 3.8 Changes in Intruder Attacks
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages293 Page
-
File Size-