Computer Security Incident Response

Thursday, November 04, 2010

John McGloughlin


People that I hang with have been asking me to author some content concerning different computer security subjects.

I guess the subjects that I’m most passionate about are capability (CSIRC) and response (CSIRT). I mean I love a good piece of recondite intelligence from an IDS / IPS system but who doesn’t?

This is a series of articles defining a computer security incident response capability (CSIRC) framework and an implementation schema for computer security incident response teams (CSIRT). If you don’t have either of these plans in your organization you should. If you do, congratulations!

In either case, I hope that this content will help you improve the security posture within your organization. All of the concepts that I express I have employed when managing very large Security Operations Centers (SOC) and teams of computer security experts.

I'll break the series into three parts. The first part will convey a taxonomy that will be used in the remaining two. The second part will focus on the strategic “What” and “Why” (CSIRC).  The third part will focus on the tactical “How” (CSIRT) including the diligence of collecting and managing intelligence.

Part 1  - Taxonomy

This part is responsible for communicating important concepts and key components within the CSIRC / CSIRT ethos. Many of these terms are often used within the lexicon of computer security professionals and the computer security industry as a whole.

This section intends to reduce the ambiguity sometimes associated with these terms, provide a consistent vernacular for its implementers (asset custodians), highlight key concepts, and clarify their representation within this context.


Assets (targets) are physical and logical digital entities that represent value and liability (disadvantage). The more information about an asset that is available to a party intending to use it, the better that party can gauge its value and liability.

This is thought of from the perspective of both a party with malicious intent (the attacker) and a party responsible for protecting the asset and its relationships (the custodian). It is to the advantage of an asset custodian to gain more information about its assets than the attacker has.

Attacker motives are generally thought of as being malicious (steal) and custodian motives are generally thought of as being benevolent (protect).

From both perspectives: an asset represents value if it is has enablers that are capable of yielding positive results sought by a specific motive; an asset represents liability if it yields negative results or it erodes value for a specific motive. 

It is to the advantage of an asset custodian to create greater liability and less value for the attacker; and create greater value and less liability for itself.


A threat is any activity that represents the potential of a negative impact to an asset, a collection of assets or reputation. It is usually a precursor to or part of an attack.

It is to the advantage of an asset custodian to monitor, model, and enumerate threats as part of its overall intelligence collection strategy.

Threat Levels

A threat level represents the degree of likelihood that a threat will manifest itself into a successful attack. Threat levels are communication entities used as guides for escalation paths and aid decision makers along those paths.

It is to the advantage of an asset custodian to establish a model for assessing the threat level for a particular threat in order to effectively and efficiently deploy the resources required to contain the threat.

Attack Surface

An attack surface represents the ingress or egress points of an asset or a collection of assets that provide an attacker with enablers to increase the value of its motive and the likelihood that an attack with be successful. 

It is to the advantage of an asset custodian to reduce the attack surfaces of its assets.


The intersection of an attack surface enabler, access to the enabler point, and attacker capability represents the vulnerability of an asset. If these three components are true then an attack is likely to be successful.

It is to the advantage of an asset custodian to understand at a minimum the enabler and access vectors of an asset and eliminate them from the attacker that has capability to use those vectors in order to increase the value of its motive.


An exploit represents the successful outcome of an attackers’ motive. Exploits often contain electronic DNA or electronic fingerprints that when evaluated explain how the exploit was achieved. These fingerprints are usually in the form of threats, attack surfaces, and vulnerabilities.

It is to the advantage of an asset custodian to diligently collect the necessary intelligence to implement offensive and defensive strategies that contain the exploit, provide activity details that can be used to eliminate the exploit from recurring, and provide forensics evidence that can be used in a court of law (prosecution and defense).

Events vs. Incidents

An event represents a unit of intelligence that is used in the course of normal operations to perform surveillance, analysis, event handling, containment, remediation, recovery and reporting.

An incident, having a legal connotation, represents an exploit and the actions that follow the exploit including the conduct of the operations staff, its management and any regulatory activities for disclosing the incident to external parties (public). 

It is to the advantage of an asset custodian to be prepared to manage both events and incidents, limit the transformation of events into incidents, and be able to distinguish between the two.


The term community is used to describe human beings that are considered allies of asset custodians and the corporation. This group represents those who most often make use of assets as a means to achieve the corporation’s goals and aspirations. 

It is to the advantage of an asset custodian to use the community as a force multiplier in its effort to maintain a healthy computer security posture. 

Cross-posted from GuardSight

Possibly Related Articles:
Enterprise Security
Security Strategies Vulnerabilities Incident Response Exploits
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.