diff --git a/clusters/first-csirt-services-framework.json b/clusters/first-csirt-services-framework.json index b9104a3..3ce3c96 100644 --- a/clusters/first-csirt-services-framework.json +++ b/clusters/first-csirt-services-framework.json @@ -14,7 +14,7 @@ { "description": " Based on logs, NetFlow data, IDS alerts, sensor networks, external sources, or other available information security event data, apply a range of methods from simple logic or pattern matching rules to the application of statistical models or machine learning in order to identify potential information security incidents. This can involve a vast amount of data and typically, but not necessarily, requires specialized tools such as Security Information and Event Management (SIEM) or big data platforms to process. An important objective of continuous improvement is to minimize the amount of false alarms that need to be analyzed as part of the Analyzing service.", "meta": { - "outcome": " Potential information security incidents are identified for analysis as part of the Analyzing service. The following functions are considered to be part of the implementation of this service: Log and sensor management\nDetection use case management\nContextual data management", + "outcome": " Potential information security incidents are identified for analysis as part of the Analyzing service.", "purpose": " Implement automated, continuous processing of a wide variety of information security event sources and contextual data in order to identify potential information security incidents, such as attacks, intrusions, data breaches or security policy violations." }, "related": [], @@ -24,7 +24,7 @@ { "description": "The flow of detected potential information security incidents must be triaged and each one qualified as an information security incident (true positive) or as a false alarm (false positive) using manual and/or automated analysis. This may require manual or automated gathering of additional information, depending on the detection use case. Priority should be given to the analysis of potentially more critical information security incidents to ensure timely reaction to what is most important. Structured qualification of detected potential information security incidents enables effective continuous improvement in a directed way by identifying detection use cases, data sources, or processes with quality issues.", "meta": { - "outcome": "Qualified and correlated information security incidents are available as input to the Information Security Incident Management service area and false positives are qualified for continuous improvement. The following functions are considered to be part of the implementation of this service: Correlation\nQualification", + "outcome": "Qualified and correlated information security incidents are available as input to the Information Security Incident Management service area and false positives are qualified for continuous improvement.", "purpose": "Triage detected potential information security incidents and their qualification as information security incidents for escalation to the Information Security Incident Management service area or as false alarms." }, "related": [], @@ -32,9 +32,9 @@ "value": "Service: Event analysis" }, { - "description": "For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically. To enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report. Due to the potentially large number of automatically escalated potential information security incidents detected via an Information Security Event Management service, this must be planned for in advance of adopting such interfaces or authorizing constituents to use them.5", + "description": "For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically. To enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report. Due to the potentially large number of automatically escalated potential information security incidents detected via an Information Security Event Management service, this must be planned for in advance of adopting such interfaces or authorizing constituents to use them.", "meta": { - "outcome": "The information security incident report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Information Security Incident Report Receipt\nInformation Security Incident Triage and Processing", + "outcome": "The information security incident report is received with professional and consistent intake of each report as well as its initial validation and classification.", "purpose": "Receive and process reports of potential information security incidents from constituents, from Information Security Event Management services or third parties." }, "related": [], @@ -44,7 +44,7 @@ { "description": "This service consists of functions to gain an understanding of the information security incident and its actual and potential impact to identify the underlying issues or vulnerabilities or weaknesses (root causes) that allowed the successful attack, compromise, or exploit. Detailed analysis is often complex and time-consuming. The objective is to identify and characterize the information security incident in as much detail as required or justified by the current understanding of its impact. Information security incidents can be characterized by scope, affected entities, tools, or attacks deployed, timelines, etc. This service may continue in parallel while the Information Security Incident Coordination service and functions are occurring or mitigation/recovery actions are taken. The CSIRT may use other information and its own analysis (see below for some options) or knowledge available from vendors and product security teams or security researchers to better understand what has happened and what steps to take to remedy losses or damage.", "meta": { - "outcome": "Knowledge is increased of the key details of an information security incident (e.g., description, impact, scope, attacks/exploits, and remedies). The following functions are considered to be part of the implementation of this service: Information security incident triage (prioritization and categorization)\nInformation collection\nDetailed analysis coordination\nInformation security incident root cause analysis\nCross-incident correlation", + "outcome": "Knowledge is increased of the key details of an information security incident (e.g., description, impact, scope, attacks/exploits, and remedies).", "purpose": "Analyze and gain an understanding of a confirmed information security incident." }, "related": [], @@ -54,7 +54,7 @@ { "description": "The services related to the understanding of the capabilities and intent of artefacts (e.g., malware, exploits, volatile memory dumps or disk copies, applications codes, logs, documents), their delivery mechanisms, their propagation, their detection, their mitigation, and their disarming or neutralization. This applies to any formats and sources: hardware, firmware, memory, software, etc. Any artefact or evidence must be preserved and collected without any modification, and kept in isolation. As some artefacts and data may become evidence in the context of law enforcement activities, specific regulations or requirements may apply. Even without preserving a chain-of-custody, this service usually involves complex and time-consuming tasks, and requires expertise, setting up dedicated and monitored analysis environments--with or without external accesses from standard wired or wireless networks (such as performing the forensics activities in a sealed or Faraday room), logging of activities, and compliance with procedures. As part of the handling of information security incidents, digital artefacts may be found on affected systems or malware distribution sites. Artefacts may be the remnants of an intruder attack, such as executables, scripts, files, images, configuration files, tools, tool outputs, logs, live or dormant pieces of code, etc. The analysis is carried out in order to find out some or all of the information listed below, which is not considered to be a complete list: The context required of the artefact to run and to perform its intended tasks, whether malicious or not\nHow the artefacts may have been utilized for the attack: uploaded, downloaded, copied, executed, or created within an organization’s environments or components\nWhich systems have been involved locally and remotely to support the distribution and actions\nWhat an intruder did once to access to the system, network, organization, or infrastructure was established: from passively collecting data, to actively scanning and transmitting data for exfiltration purposes, or collecting new action requests, updating itself or making a lateral movement inside a compromised (local) network\nWhat a user, user process, or user system did once the user account or user device was compromised\nWhat behavior characterizes the artefacts or compromised systems, either in standalone mode, in conjunction with artefacts or components, connected to a local network or the Internet, or in any combination\nHow the artefacts or compromised systems establish connectivity with the target (e.g., intrusion path, initial target, or detection evasion techniques);\nWhat communication architecture (peer-to-peer, command-and-control, both) has been utilized\nWhat were the actions of the threat actors, what is their network and systems footprint\nHow the intruders or artefacts evaded detection (even over long periods of time which may include reboot or reinitialization) This can be achieved through various types of activities including media or surface analysis\nreverse engineering\nruntime or dynamic analysis\ncomparative analysis Each activity provides additional information about the artefacts. Analysis methods include but are not limited to identification of type and characteristics of artefacts, comparison with known artefacts, observation of artefact execution in a runtime or a live environment, and disassembling and interpreting binary artefacts. In carrying out an analysis of the artefacts, an analyst attempts to reconstruct and determine what the intruder did, in order to detect the exploited vulnerability, assess damages, develop solutions to mitigate against the artefacts, and provide information to constituents and other researchers.", "meta": { - "outcome": "The nature of recovered digital artefacts and analyzed forensic evidence is understood along with the relationship to other artefacts, internal or external objects or components, attacks on frameworks, tools, and exploited vulnerabilities. Working assumptions or proof of what the threat actor did, and how the artefacts behaved. This knowledge is critical to assess losses, damages, business impacts, etc. and to develop containment and mitigation or recovery strategies. The tactics, techniques, and procedures used by attackers or intruders to compromise systems, users, networks, organizations and/or infrastructures is understood. This includes those tactics, techniques, and procedures used to propagate, exfiltrate, update, modify, or fake its behavior, data, auto-delete traces of its own activities, or carry out additional malicious activities. List of functions which are considered to be part of the implementation of this service: Media or surface analysis\nReverse engineering\nRuntime and/or dynamic analysis\nComparative analysis", + "outcome": "The nature of recovered digital artefacts and analyzed forensic evidence is understood along with the relationship to other artefacts, internal or external objects or components, attacks on frameworks, tools, and exploited vulnerabilities. Working assumptions or proof of what the threat actor did, and how the artefacts behaved. This knowledge is critical to assess losses, damages, business impacts, etc. and to develop containment and mitigation or recovery strategies. The tactics, techniques, and procedures used by attackers or intruders to compromise systems, users, networks, organizations and/or infrastructures is understood. This includes those tactics, techniques, and procedures used to propagate, exfiltrate, update, modify, or fake its behavior, data, auto-delete traces of its own activities, or carry out additional malicious activities.", "purpose": "Analyze and gain an understanding of artefacts related to a confirmed information security incident, taking into consideration the need to preserve forensic evidence." }, "related": [], @@ -64,7 +64,7 @@ { "description": "Once the analysis has confirmed a potential information security incident and a response strategy has been developed, this must be turned over into a response plan. Even before a response plan can be finalized, ad-hoc measures may be taken. This service also includes the initiating and tracking of all activities which are performed until the information security incident can be considered closed or new information becomes available that requires further analysis and henceforth may also change the response strategy and plan.", "meta": { - "outcome": "The information security incident is mitigated and the cyber security posture is improved. Integrity of systems impacted by the underlying attack or activities of the attacker is restored, as well as serviceability of the network and systems compromised. Data is restored in case of data loss, if possible. The following functions are considered to be part of the implementation of this service: Response plan established \nAd hoc measures and containment\nSystems restoration\nOther information security entities support In the case of a coordinating CSIRT, not all functions will be provided. While “supporting other information security entities” is an activity such teams provide, they sometimes also help with “establishing a response plan.”", + "outcome": "The information security incident is mitigated and the cyber security posture is improved. Integrity of systems impacted by the underlying attack or activities of the attacker is restored, as well as serviceability of the network and systems compromised. Data is restored in case of data loss, if possible.", "purpose": "Contain the information security incident as much as possible to limit the number of victims, reduce the loss and to recover from damage, avoid further attacks and further losses by removing exploited vulnerabilities or weaknesses, and improve overall cyber security." }, "related": [], @@ -74,7 +74,7 @@ { "description": "Being notified and kept informed about the details and ongoing activities in relation to an information security incident is critical for all stakeholders and organizations involved. As some activities required for a successful mitigation and recovery might involve management approval, this requires suitable escalation and reporting functions established before any information security incident can be handled effectively and efficiently. As the CSIRT analyzes all information as it becomes available, coordination makes sure that notifications and information reach the right points of contact, track their responses and make sure that all parties carrying out activities report back to provide for accurate situational awareness until the information security incident is considered closed and requiring no further coordination. Stakeholders should have avenues to submit questions, check the status of information security incidents, and report issues to the CSIRT. To engage internal stakeholders, the CSIRT should provide communications channels to advertise the remediation status of information security incidents. To engage external stakeholders, the CSIRT should maintain communications channels to other CSIRTs and CSIRT communities that might provide recommendations or technical support.", "meta": { - "outcome": "The response is successfully coordinated based on well-informed entities that contribute to the response to an information security incident. The following functions are considered to be part of the implementation of this service: Communication\nNotification distribution\nRelevant information distribution\nActivities coordination \nReporting\nMedia communication", + "outcome": "The response is successfully coordinated based on well-informed entities that contribute to the response to an information security incident.", "purpose": "Ensure timely notifications and accurate information distribution; keep the information flow and track the status of activities of entities that are either tasked or requested to participate in responding to the information security incident; and make sure the response plan is carried out and deviations caused by both delays or new information are managed accordingly." }, "related": [], @@ -84,7 +84,7 @@ { "description": "While today’s information security incidents rarely constitute an organizational or national crisis, they have the potential to do so. But the response to a crisis is usually associated with an emergency that threatens the well-being of humans and society at large, or at least the existence of an organization. As it is established in crisis management, a high-ranking role will take over the responsibility of a crisis, thereby changing the usual line of command for the duration of the emergency. As the systems and networks might contribute to emergencies or are required to be available to respond to a crisis situation, a CSIRT will usually be a critical resource for managing such situations and provide valuable experience but also the established services and networks of points of contacts.", "meta": { - "outcome": "The crisis management team can use the CSIRT’s resources to address the cyber security aspects of the current crisis. At the same time, the CSIRT’s communication resources can be utilized to reach out to constituents and external parties to ask for specific support actions or help. It can also be used to communicate in a trusted way towards constituents, using established communication means and trusted networks. The following functions are considered to be part of the implementation of this service: Information distribution to constituents\nInformation security status reporting\nStrategic decisions communication", + "outcome": "The crisis management team can use the CSIRT’s resources to address the cyber security aspects of the current crisis. At the same time, the CSIRT’s communication resources can be utilized to reach out to constituents and external parties to ask for specific support actions or help. It can also be used to communicate in a trusted way towards constituents, using established communication means and trusted networks.", "purpose": "Provide expertise and contacts to other security experts, CSIRTs, and CSIRT communities in order to help mitigate the crisis." }, "related": [], @@ -92,9 +92,9 @@ "value": "Service: Crisis management support" }, { - "description": "Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists6), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability.", + "description": "Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability.", "meta": { - "outcome": "This service results in an increased discovery of potential vulnerabilities that were not reported directly to the CSIRT. The following functions are considered to be part of the implementation of this service: Incident response vulnerability discovery \nPublic source vulnerability discovery \nVulnerability research These functions may be services (or functions) performed by others (e.g., researchers, vendors, PSIRTs, or third-party specialists) instead of the CSIRT.", + "outcome": "This service results in an increased discovery of potential vulnerabilities that were not reported directly to the CSIRT.", "purpose": "Find, learn of, or search for new (previously unknown) vulnerabilities; vulnerabilities can be discovered by members of the vulnerability management service area or through other related CSIRT activities" }, "related": [], @@ -104,7 +104,7 @@ { "description": "One of the primary sources of vulnerability information may be reports or questions sent from a CSIRT’s constituents or other third parties. The CSIRT should anticipate that vulnerabilities may be reported from these various sources, and provide a mechanism, a process, and guidance for vulnerability reporting. Reporting infrastructures may include email or a web-based vulnerability reporting form. Not all vulnerabilities are reported directly to a CSIRT by constituents or third parties through the established channels. Supporting guidance should include reporting guidelines, contact information, and any disclosure policies. To enable constituents to report vulnerabilities more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report vulnerabilities. Reporting mechanisms can include email, a website, a dedicated vulnerability reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of a vulnerability reporting form itself, should be provided in separate documentation or via a web page, and should list the specific information that is desirable to be included in the report.", "meta": { - "outcome": "The vulnerability report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Vulnerability report receipt\nVulnerability report triage and processing", + "outcome": "The vulnerability report is received with professional and consistent intake of each report as well as its initial validation and classification.", "purpose": "Receive and process vulnerability information reported from constituents or third parties." }, "related": [], @@ -112,9 +112,9 @@ "value": "Service: Vulnerability report intake" }, { - "description": "The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability. The Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD)7 process.", + "description": "The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability. The Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD) process.", "meta": { - "outcome": "Knowledge of the key details of a vulnerability (e.g., description, impact, resolution) is increased.\nThe following functions are considered to be part of the implementation of this service: Vulnerability triage (validation and categorization)\nVulnerability root cause analysis\nVulnerability remediation development", + "outcome": "Knowledge of the key details of a vulnerability (e.g., description, impact, resolution) is increased.", "purpose": "Analyze and gain understanding of a confirmed vulnerability." }, "related": [], @@ -124,7 +124,7 @@ { "description": "The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including vulnerability finders/reporters, affected vendors, developers, PSRITs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.", "meta": { - "outcome": "Information sharing with CVD participants who can assist in providing information to remediate/mitigate the vulnerability is effective and timely. The following functions are considered to be part of the implementation of this service: Vulnerability notification/reporting\nVulnerability stakeholder coordination", + "outcome": "Information sharing with CVD participants who can assist in providing information to remediate/mitigate the vulnerability is effective and timely.", "purpose": "Exchange information and coordinate the activities with participants involved in a coordinated vulnerability disclosure (CVD) process." }, "related": [], @@ -134,7 +134,7 @@ { "description": "Inform the constituents of any known vulnerabilities (potential entry points for attackers), so that their systems can be kept up to date and monitored for exploits. Disclosure methods may include publication of information through multiple communication channels (e.g., website, email, social media), a vulnerability database, or other media. This service often, but not always, occurs following Vulnerability Coordination.", "meta": { - "outcome": "Informed constituents can avoid the potential exploitation of known vulnerabilities prior to exploitation and can detect and mitigate vulnerabilities that already exist. The following functions are considered to be part of the implementation of this service: Vulnerability disclosure policy and infrastructure maintenance\nVulnerability announcements/communication/dissemination\nPost-vulnerability disclosure feedback", + "outcome": "Informed constituents can avoid the potential exploitation of known vulnerabilities prior to exploitation and can detect and mitigate vulnerabilities that already exist.", "purpose": "Disseminate information about known vulnerabilities to constituents so that they can act upon that information to prevent, detect, and remediate/mitigate known vulnerabilities." }, "related": [], @@ -144,17 +144,17 @@ { "description": "The functions under this service are intended to determine whether a disclosed vulnerability exists on a constituent’s systems, often through the intentional act of looking for the presence of such vulnerabilities. The service can also include the follow-on actions to remediate or mitigate the vulnerability through the deployment of patches or workaround strategies.", "meta": { - "outcome": "Information was acted upon in order to detect the presence of a vulnerability, remediate/mitigate a disclosed vulnerability, and prevent the vulnerability from being exploited. The following functions are considered to be part of the implementation of this service: Vulnerability detection / scanning\nVulnerability remediation This Vulnerability Response service and its related functions are usually performed by other specialized groups within an organization, typically not the CSIRT. This service is also unlikely to be provided by a Coordinating CSIRT.", + "outcome": "Information was acted upon in order to detect the presence of a vulnerability, remediate/mitigate a disclosed vulnerability, and prevent the vulnerability from being exploited.", "purpose": "Actively take information about known vulnerabilities and act upon that information to prevent, detect, and remediate/mitigate those vulnerabilities." }, "related": [], - "uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", - "value": "Service: Vulnerability response8" + "uuid": "8b6e3cc9-2f15-5502-9cbb-0a4c1aaf59d6", + "value": "Service: Vulnerability response" }, { "description": "Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information.", "meta": { - "outcome": "The following artefacts result from this service: a set of data collection requirements that identifies situational awareness needs, and then maps those requirements to the types of information to be collected in order to meet those objectives\ninformation about the current and expected future status of constituency assets and activities\ninformation about external events or trends that provides insight into the constituency’s surroundings and current environment, including new technologies, methods, practices, risks, and threats \nproperly formatted information readied for analysis and detection activities The following functions are considered to be part of the implementation of this service: Policy aggregation, distillation, and guidance\nAsset mappings of assets to functions, roles, actions, and key risks\nCollection\nData processing and preparation", + "outcome": "The following artefacts result from this service: a set of data collection requirements that identifies situational awareness needs, and then maps those requirements to the types of information to be collected in order to meet those objectives\ninformation about the current and expected future status of constituency assets and activities\ninformation about external events or trends that provides insight into the constituency’s surroundings and current environment, including new technologies, methods, practices, risks, and threats \nproperly formatted information readied for analysis and detection activities", "purpose": "Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture." }, "related": [], @@ -164,7 +164,7 @@ { "description": "The process of using current data, history, and analysis techniques to determine what is occurring that may impact the constituency assets and security posture, often done by determining an answer to a question or testing an intuition. Analysis may reveal when events do not match typical expected behavior, or may reveal information about the circumstance, nature, or origin of events or behaviors. Analysis may reveal implications to current and future situations. For example: a system may log that a user ID successfully logged into the system, but the system does not indicate whether the event was performed by a legitimate user. New sources (such as interviews with the user) will need to be incorporated into the analysis to provide the team with a more accurate picture to determine the legitimacy of the event. A variety of techniques may be used to analyze and interpret the collected data and its effect upon the constituency.", "meta": { - "outcome": "A set of conclusions about the probable historical, current, and/or likely future events within a constituency is produced. It may also include recommendations about certain decisions that a constituency is facing. Analysis should be supported by evidence such as observation data collected from sensors and other sources and the interpretation of that evidence by analysts through a variety of methods. The analysis may also include constituents that need to be told about the results, and what they need to be told. The following functions are considered to be part of the implementation of this service: Projection and inference\nEvent detection (through alerting and/or hunting)\nSituational impact", + "outcome": "A set of conclusions about the probable historical, current, and/or likely future events within a constituency is produced. It may also include recommendations about certain decisions that a constituency is facing. Analysis should be supported by evidence such as observation data collected from sensors and other sources and the interpretation of that evidence by analysts through a variety of methods. The analysis may also include constituents that need to be told about the results, and what they need to be told.", "purpose": "Assess when the situation does not match with expectations (e.g., when specific assets may be about to experience a harmful event)." }, "related": [], @@ -174,7 +174,7 @@ { "description": "The knowledge obtained from situational awareness must be communicated to the constituency. This will allow it to react to observations and to take actions that will improve defensive situations, e.g., reducing third-party risk by improving the security environment at certain high-risk suppliers.", "meta": { - "outcome": "Accurate, actionable, and timely situational information is delivered to constituency so they can better understand their past and improve their current and future situational picture. The following functions are considered to be part of the implementation of this service: Internal and external communication\nReporting and recommendations\nImplementation \nDissemination / integration / information sharing\nManagement of information sharing", + "outcome": "Accurate, actionable, and timely situational information is delivered to constituency so they can better understand their past and improve their current and future situational picture.", "purpose": "Notify constituents or others in the security community about changes in risks to the situational picture." }, "related": [], @@ -184,7 +184,7 @@ { "description": "This service includes working with the constituency, experts, and trusted partners to raise the collective understanding of threats and actions that can be taken to prevent or mitigate the risks posed by these threats.", "meta": { - "outcome": "The constituency is provided with the necessary awareness of: events, activities, and trends that may affect its ability to operate in a timely and secure manner\nsteps to take to detect, prevent and mitigate threats and malicious activity\nsecurity and operational best practices The following functions are considered to be part of the implementation of this service: Research and information aggregation\nReport and awareness materials development\nInformation dissemination\nOutreach", + "outcome": "The constituency is provided with the necessary awareness of: events, activities, and trends that may affect its ability to operate in a timely and secure manner\nsteps to take to detect, prevent and mitigate threats and malicious activity\nsecurity and operational best practices", "purpose": "Increase the overall security posture of the constituency and help its members to detect, prevent, and recover from incidents; ensure that constituents are better prepared and educated." }, "related": [], @@ -194,7 +194,7 @@ { "description": "A training and education program can help the CSIRT to establish relationships and to improve the overall cybersecurity posture of its constituency, including the ability to prevent future incidents from happening. Such a program can help maintain user awareness\nhelp the constituency understand the changing landscape and threats\nfacilitate information exchange between the CSIRT and its constituency\ntrain the constituency on tools, processes and procedures related to security and incident management. This can be done through various types of activities including documenting the knowledge, skills, and abilities (KSAs) required, developing educational and training materials, delivering content, mentoring, and professional and skill development. Each of these activities will collectively contribute to the constituency’s and the team’s capabilities.", "meta": { - "outcome": "A consistent training and education program is provided that enables the CSIRTs’ constituency to appropriately acquire methods to detect, prevent or respond to threats\ntools and practices to help protect critical assets\nunderstanding about incident management processes and how to get assistance The following functions are considered to be part of the implementation of this service: Knowledge, skill, and ability requirements gathering \nEducational and training materials development\nContent delivery\nMentoring\nCSIRT staff professional development", + "outcome": "A consistent training and education program is provided that enables the CSIRTs’ constituency to appropriately acquire methods to detect, prevent or respond to threats\ntools and practices to help protect critical assets\nunderstanding about incident management processes and how to get assistance", "purpose": "Provide training and education to a CSIRT constituency (which may include organizational and CSIRT staff) on topics related to cybersecurity, information assurance and incident management." }, "related": [], @@ -204,7 +204,7 @@ { "description": "Services are offered by the organization to constituents that support the design, execution, and evaluation of cyber exercises intended to train and/or evaluate the capabilities of individual constituents and the stakeholder community as a whole, including communications capabilities. These types of exercises can be used to test policies and procedures: assess whether there are sufficient policies and procedures in place to effectively detect, respond and mitigate incidents. This is, generally, a paper/table-top exercise.\ntest operational readiness: assess whether the organization has an incident management capability that is able to detect, respond to and mitigate incidents in a timely and successful manner, as well as to test whether the right people are in place, directories are up-to-date, and if procedures are executed correctly. This service addresses both the needs of the organization and the needs of its constituents. More specifically, through the simulation of cybersecurity events/incidents, exercises can be used for one or several objectives: Demonstrate: Illustrate cybersecurity services and functions, as well as vulnerabilities, threats, and risks, in order to raise awareness.\nTrain: Instruct staff on new tools, techniques, and procedures:\n\nExercise: Provide an opportunity for staff to use tools, techniques, and procedures they are expected to be knowledgeable about. Exercising is necessary for perishable skills and helps improve and maintain efficiency.\nAssess: Analyze and understand the level of effectiveness and efficiency of cybersecurity services and functions, as well as the level of staff preparedness.\nVerify: Determine whether a specified level of effectiveness and/or efficiency can be achieved for cybersecurity services and functions.", "meta": { - "outcome": "The effectiveness and efficiency of cybersecurity services and functions is improved and opportunities for further improvements are identified. Depending on the specific objective(s) of an exercise, cybersecurity may also be demonstrated to internal or external stakeholders, staff can be trained, and the efficiency and effectiveness of tools, services, and functions can be assessed and/or verified. Lessons for improving future exercises can also be identified and a report delivered to management or other key stakeholders. The following functions are considered to be part of the implementation of this service: Requirements analysis\nFormat and environment development\nScenario development\nExercises execution\nExercise outcome review", + "outcome": "The effectiveness and efficiency of cybersecurity services and functions is improved and opportunities for further improvements are identified. Depending on the specific objective(s) of an exercise, cybersecurity may also be demonstrated to internal or external stakeholders, staff can be trained, and the efficiency and effectiveness of tools, services, and functions can be assessed and/or verified. Lessons for improving future exercises can also be identified and a report delivered to management or other key stakeholders.", "purpose": "Conduct exercises to assess and improve the effectiveness and efficiency of cybersecurity services and functions." }, "related": [], @@ -214,7 +214,7 @@ { "description": "Support the CSIRT constituency and key stakeholders, internal or external to the constituency, in activities related to risk management and business continuity, providing technical advice as needed and contributing to the creation and implementation of the constituency’s policies, as well as influencing them to enable the CSIRT to be more effective. Policies are also important in legitimizing the services of a CSIRT.", "meta": { - "outcome": "A constituency is enabled to make organizational decisions based on operational security best practices that incorporate business continuity and disaster recovery best practices, while also understanding the need of including incident management teams, as trusted advisors, in business decisions where appropriate. The following functions are considered to be part of the implementation of this service: Risk management support\nBusiness continuity and disaster recovery planning support\nPolicy support\nTechnical advice", + "outcome": "A constituency is enabled to make organizational decisions based on operational security best practices that incorporate business continuity and disaster recovery best practices, while also understanding the need of including incident management teams, as trusted advisors, in business decisions where appropriate.", "purpose": "Ensure the constituency’s policies and procedures include appropriate incident management considerations and, ultimately, enable the constituency to better manage risks and threats, as well as enabling the CSIRT to be more effective." }, "related": [], @@ -254,7 +254,7 @@ { "description": "The various contextual data sources that are involved in detection and enrichment need to be managed throughout their lifecycle. These can be live APIs to or exports from other IT systems such as a Configuration Management Database (CMDB), Identity and Access Management (IAM), or Threat Intel systems, or entirely separate data sets that need to be managed manually. The latter would be the case for indicator lists, watchlists and whitelists to suppress false positives.", "meta": { - "outcome": "Up to date contextual data is available for both detection and enrichment. 5.2 Service: Event analysis Purpose: Triage detected potential information security incidents and their qualification as information security incidents for escalation to the Information Security Incident Management service area or as false alarms. Description: The flow of detected potential information security incidents must be triaged and each one qualified as an information security incident (true positive) or as a false alarm (false positive) using manual and/or automated analysis. This may require manual or automated gathering of additional information, depending on the detection use case. Priority should be given to the analysis of potentially more critical information security incidents to ensure timely reaction to what is most important. Structured qualification of detected potential information security incidents enables effective continuous improvement in a directed way by identifying detection use cases, data sources, or processes with quality issues. Outcome: Qualified and correlated information security incidents are available as input to the Information Security Incident Management service area and false positives are qualified for continuous improvement. The following functions are considered to be part of the implementation of this service: Correlation\nQualification", + "outcome": "Up to date contextual data is available for both detection and enrichment.", "purpose": "Manage of contextual data sources for detection and enrichment." }, "related": [ @@ -284,7 +284,7 @@ { "description": "Potential information security incidents need to be triaged and each qualified as an information security incident (true positive) or as a false alarm (false positive). Because analysts have a limited number of potential information security incidents they can analyze, and in order to avoid alert fatigue, automation is key. Mature tooling facilitates effective triage by enriching with context information, assigning risk scores based on the criticality of affected assets and identities and/or automatically identifying related information security events. Recurring cases that can be automated should be identified and automated. Potential information security incidents with higher criticality should be analyzed before less critical ones. In addition to qualification as true or false positives, a more fine-grained qualification is an important input for continuous improvement of detection use cases as well as the management of log sources, sensors, and contextual data sources. More fine-grained qualification can also support the definition of higher-quality KPIs for measuring the success of this service area.", "meta": { - "outcome": "Qualified potential information security incidents are available for handling as part of the Information Security Incident Management service area. 6 Service Area: Information Security Incident Management This service area is at the heart of any CSIRT and consists of services that are vital in helping constituents during an attack or incident. CSIRTs must be prepared to help and support. Through this unique position and expertise, they are able to not only collect and evaluate information security incident reports, but also to analyze relevant data and perform detailed technical analysis of the incident itself and any artefacts used. From this analysis, mitigation and steps to recover from the incident can be recommended, and constituents will be supported in applying the recommendations. This also requires a coordination effort with external entities such as peer CSIRTs or security experts, vendors, or PSIRTs to address all aspects and reduce the number of successful attacks later on. The special expertise CSIRTs can provide is also critical in addressing (information security) crises. While in many instances a CSIRT will not handle the crisis management, it can support any such activity. Making its contacts available, for example, can greatly improve the application of required mitigation steps or better protection mechanisms. Applying the knowledge and the available infrastructure to support its constituency is key to improving overall information security incident management. The following services are considered as potential offerings of this service area: Information security incident report acceptance\nInformation security incidents analysis\nArtefact and forensic evidence analysis\nMitigation and recovery\nInformation security incident coordination\nCrisis management support 6.1 Service: Information security incident report acceptance Purpose: Receive and process reports of potential information security incidents from constituents, from Information Security Event Management services or third parties. Description: For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically. To enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report. Due to the potentially large number of automatically escalated potential information security incidents detected via an Information Security Event Management service, this must be planned for in advance of adopting such interfaces or authorizing constituents to use them.5 Outcome: The information security incident report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Information Security Incident Report Receipt\nInformation Security Incident Triage and Processing", + "outcome": "Qualified potential information security incidents are available for handling as part of the Information Security Incident Management service area.", "purpose": "Triage and qualify detected potential information security incidents in order to identify, categorize, and prioritize true positives." }, "related": [ @@ -314,7 +314,7 @@ { "description": "Information Security Incident Reports are reviewed and triaged to obtain an initial understanding of the information security incident in question. It is of particular importance whether it has a real information security impact on the target and can result (or has already resulted) in damage to the confidentiality, availability, integrity, and/or authenticity of information assets or other assets. Depending on the amount of detail and quality of the information provided in the initial report, it may or not be obvious whether a real information security incident has occurred or if there is a different reason—such as misconfiguration or hardware failure. The next step will be determined on the basis of the preliminary assessment (e.g., process the report for further analysis; seek additional information from the reporter or other sources; decide that the report needs no further action or is a false alarm). It is possible that attacks may originate from within the constituency of a CSIRT, may target this constituency, or the constituency is affected by collateral effects only. If the CSIRT does not provide Information Security Management services for the identified targets, then the report should be forwarded securely to an external group for handling, such as the affected organization(s) or CSIRT(s). Unless there is a reason to decline an information security incident report or the report has been forwarded to another entity responsible for its handling, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling.", "meta": { - "outcome": "It can be determined if a reported matter is indeed an information security incident that needs to be handled by the CSIRT or passed on to a relevant entity. The following sub-functions are considered to be part of the implementation of this service: Processing reports and submitted data including artefacts or materials in isolation to protect the integrity of the working environment and avoid successful attacks on the CSIRT by such means\nUpdating acknowledgement of reports by providing some feedback on further steps based on categorization or prioritization results available\nMerging new information about already handled information security incidents to the available data to allow a consistent analysis and processing 6.2 Service: Information security incident analysis Purpose: Analyze and gain an understanding of a confirmed information security incident. Description: This service consists of functions to gain an understanding of the information security incident and its actual and potential impact to identify the underlying issues or vulnerabilities or weaknesses (root causes) that allowed the successful attack, compromise, or exploit. Detailed analysis is often complex and time-consuming. The objective is to identify and characterize the information security incident in as much detail as required or justified by the current understanding of its impact. Information security incidents can be characterized by scope, affected entities, tools, or attacks deployed, timelines, etc. This service may continue in parallel while the Information Security Incident Coordination service and functions are occurring or mitigation/recovery actions are taken. The CSIRT may use other information and its own analysis (see below for some options) or knowledge available from vendors and product security teams or security researchers to better understand what has happened and what steps to take to remedy losses or damage. Outcome: Knowledge is increased of the key details of an information security incident (e.g., description, impact, scope, attacks/exploits, and remedies). The following functions are considered to be part of the implementation of this service: Information security incident triage (prioritization and categorization)\nInformation collection\nDetailed analysis coordination\nInformation security incident root cause analysis\nCross-incident correlation", + "outcome": "It can be determined if a reported matter is indeed an information security incident that needs to be handled by the CSIRT or passed on to a relevant entity. The following sub-functions are considered to be part of the implementation of this service: Processing reports and submitted data including artefacts or materials in isolation to protect the integrity of the working environment and avoid successful attacks on the CSIRT by such means\nUpdating acknowledgement of reports by providing some feedback on further steps based on categorization or prioritization results available\nMerging new information about already handled information security incidents to the available data to allow a consistent analysis and processing", "purpose": "Initially review, categorize, prioritize, and process a reported information security incident." }, "related": [ @@ -389,7 +389,7 @@ { "description": "This function involves the correlation of available information about multiple information security incidents to determine interrelations, trends, or applicable mitigations from already closed information security incidents to improve the response to currently handled information security incidents.", "meta": { - "outcome": "The bigger picture is understood in terms of situational awareness based on a detailed knowledge about similarities and confirmed or suspected interrelationships of otherwise independent information security incidents. 6.3 Service: Artifact and forensic evidence analysis Purpose: Analyze and gain an understanding of artefacts related to a confirmed information security incident, taking into consideration the need to preserve forensic evidence. Description: The services related to the understanding of the capabilities and intent of artefacts (e.g., malware, exploits, volatile memory dumps or disk copies, applications codes, logs, documents), their delivery mechanisms, their propagation, their detection, their mitigation, and their disarming or neutralization. This applies to any formats and sources: hardware, firmware, memory, software, etc. Any artefact or evidence must be preserved and collected without any modification, and kept in isolation. As some artefacts and data may become evidence in the context of law enforcement activities, specific regulations or requirements may apply. Even without preserving a chain-of-custody, this service usually involves complex and time-consuming tasks, and requires expertise, setting up dedicated and monitored analysis environments--with or without external accesses from standard wired or wireless networks (such as performing the forensics activities in a sealed or Faraday room), logging of activities, and compliance with procedures. As part of the handling of information security incidents, digital artefacts may be found on affected systems or malware distribution sites. Artefacts may be the remnants of an intruder attack, such as executables, scripts, files, images, configuration files, tools, tool outputs, logs, live or dormant pieces of code, etc. The analysis is carried out in order to find out some or all of the information listed below, which is not considered to be a complete list: The context required of the artefact to run and to perform its intended tasks, whether malicious or not\nHow the artefacts may have been utilized for the attack: uploaded, downloaded, copied, executed, or created within an organization’s environments or components\nWhich systems have been involved locally and remotely to support the distribution and actions\nWhat an intruder did once to access to the system, network, organization, or infrastructure was established: from passively collecting data, to actively scanning and transmitting data for exfiltration purposes, or collecting new action requests, updating itself or making a lateral movement inside a compromised (local) network\nWhat a user, user process, or user system did once the user account or user device was compromised\nWhat behavior characterizes the artefacts or compromised systems, either in standalone mode, in conjunction with artefacts or components, connected to a local network or the Internet, or in any combination\nHow the artefacts or compromised systems establish connectivity with the target (e.g., intrusion path, initial target, or detection evasion techniques);\nWhat communication architecture (peer-to-peer, command-and-control, both) has been utilized\nWhat were the actions of the threat actors, what is their network and systems footprint\nHow the intruders or artefacts evaded detection (even over long periods of time which may include reboot or reinitialization) This can be achieved through various types of activities including media or surface analysis\nreverse engineering\nruntime or dynamic analysis\ncomparative analysis Each activity provides additional information about the artefacts. Analysis methods include but are not limited to identification of type and characteristics of artefacts, comparison with known artefacts, observation of artefact execution in a runtime or a live environment, and disassembling and interpreting binary artefacts. In carrying out an analysis of the artefacts, an analyst attempts to reconstruct and determine what the intruder did, in order to detect the exploited vulnerability, assess damages, develop solutions to mitigate against the artefacts, and provide information to constituents and other researchers. Outcome: The nature of recovered digital artefacts and analyzed forensic evidence is understood along with the relationship to other artefacts, internal or external objects or components, attacks on frameworks, tools, and exploited vulnerabilities. Working assumptions or proof of what the threat actor did, and how the artefacts behaved. This knowledge is critical to assess losses, damages, business impacts, etc. and to develop containment and mitigation or recovery strategies. The tactics, techniques, and procedures used by attackers or intruders to compromise systems, users, networks, organizations and/or infrastructures is understood. This includes those tactics, techniques, and procedures used to propagate, exfiltrate, update, modify, or fake its behavior, data, auto-delete traces of its own activities, or carry out additional malicious activities. List of functions which are considered to be part of the implementation of this service: Media or surface analysis\nReverse engineering\nRuntime and/or dynamic analysis\nComparative analysis", + "outcome": "The bigger picture is understood in terms of situational awareness based on a detailed knowledge about similarities and confirmed or suspected interrelationships of otherwise independent information security incidents.", "purpose": "Enable the usage of all available information to get the best understanding of the context and detect interrelationships that otherwise would not have been recognized or acted upon." }, "related": [ @@ -449,7 +449,7 @@ { "description": "This function involves exploring an artefact’s relationship to other artefacts. This may identify similarities in code or modus operandi, targets, intent, and authors. Such similarities can be used to derive the scope of an attack (e.g., is there a larger target, has similar code been used before). Comparative analysis techniques can include exact match comparisons or code similarity comparisons. Comparative analysis provides a broader view of how the artefact or similar versions of it were used and changed over time, helping to understand the evaluation of malware or other malicious types of artefacts.", "meta": { - "outcome": "Any commonalities or relationships to other artefacts are derived in order to identify trends or similarities that may provide additional insights or understanding of a digital artefact’s functionality, impact, and mitigation. The following sub-functions are considered to be part of the implementation of this function: Defining a baseline of characteristics and observed behaviors\nSearching for the same or similar characteristics in available repositories/knowledge bases\nUpdating available repositories/knowledge bases regarding newly observed or previously unknown symptoms, behaviors, and/or signatures which can be used to further categorize the researched artefact. 6.4 Service: Mitigation and recovery Purpose: Contain the information security incident as much as possible to limit the number of victims, reduce the loss and to recover from damage, avoid further attacks and further losses by removing exploited vulnerabilities or weaknesses, and improve overall cyber security. Description: Once the analysis has confirmed a potential information security incident and a response strategy has been developed, this must be turned over into a response plan. Even before a response plan can be finalized, ad-hoc measures may be taken. This service also includes the initiating and tracking of all activities which are performed until the information security incident can be considered closed or new information becomes available that requires further analysis and henceforth may also change the response strategy and plan. Outcome: The information security incident is mitigated and the cyber security posture is improved. Integrity of systems impacted by the underlying attack or activities of the attacker is restored, as well as serviceability of the network and systems compromised. Data is restored in case of data loss, if possible. The following functions are considered to be part of the implementation of this service: Response plan established \nAd hoc measures and containment\nSystems restoration\nOther information security entities support In the case of a coordinating CSIRT, not all functions will be provided. While “supporting other information security entities” is an activity such teams provide, they sometimes also help with “establishing a response plan.”", + "outcome": "Any commonalities or relationships to other artefacts are derived in order to identify trends or similarities that may provide additional insights or understanding of a digital artefact’s functionality, impact, and mitigation. The following sub-functions are considered to be part of the implementation of this function: Defining a baseline of characteristics and observed behaviors\nSearching for the same or similar characteristics in available repositories/knowledge bases\nUpdating available repositories/knowledge bases regarding newly observed or previously unknown symptoms, behaviors, and/or signatures which can be used to further categorize the researched artefact.", "purpose": "Perform an analysis focused on identifying common functionality or intent, including family analysis of catalogued artefacts." }, "related": [ @@ -509,7 +509,7 @@ { "description": "A CSIRT may provide direct (onsite) assistance to help the constituents to recover from losses and to remove vulnerabilities. This might be a direct extension of offering analysis services on-site (see above). On the other hand, a CSIRT might choose to support the staff of the constituents responding to the information security incident with more detailed explanations, recommendations, etc.", "meta": { - "outcome": "Response of the constituents is improved and recovery is faster. By adding to the available body of knowledge the future effectiveness and efficiency of related activities may be strengthened. In addition, it helps to support those entities inside the constituency that are lacking detailed technical knowledge to carry out the necessary action to respond. 6.5 Service: Information security incident coordination Purpose: Ensure timely notifications and accurate information distribution; keep the information flow and track the status of activities of entities that are either tasked or requested to participate in responding to the information security incident; and make sure the response plan is carried out and deviations caused by both delays or new information are managed accordingly. Description: Being notified and kept informed about the details and ongoing activities in relation to an information security incident is critical for all stakeholders and organizations involved. As some activities required for a successful mitigation and recovery might involve management approval, this requires suitable escalation and reporting functions established before any information security incident can be handled effectively and efficiently. As the CSIRT analyzes all information as it becomes available, coordination makes sure that notifications and information reach the right points of contact, track their responses and make sure that all parties carrying out activities report back to provide for accurate situational awareness until the information security incident is considered closed and requiring no further coordination. Stakeholders should have avenues to submit questions, check the status of information security incidents, and report issues to the CSIRT. To engage internal stakeholders, the CSIRT should provide communications channels to advertise the remediation status of information security incidents. To engage external stakeholders, the CSIRT should maintain communications channels to other CSIRTs and CSIRT communities that might provide recommendations or technical support. Outcome: The response is successfully coordinated based on well-informed entities that contribute to the response to an information security incident. The following functions are considered to be part of the implementation of this service: Communication\nNotification distribution\nRelevant information distribution\nActivities coordination \nReporting\nMedia communication", + "outcome": "Response of the constituents is improved and recovery is faster. By adding to the available body of knowledge the future effectiveness and efficiency of related activities may be strengthened. In addition, it helps to support those entities inside the constituency that are lacking detailed technical knowledge to carry out the necessary action to respond.", "purpose": "Enable the constituents to perform the required management and technical activities in order to successfully mitigate an information security incident and recover from it." }, "related": [ @@ -599,7 +599,7 @@ { "description": "Communicating with the media is unavailable in many cases. While CSIRTs usually try to avoid such contact, it is important to realize that the media can help to mitigate specific types of ongoing and large-scale attacks causing information security incidents. For this it is necessary to explain what is causing the information security incidents and explain the impact on users and/or organizations. In some cases, a CSIRT might choose to provide this information already in a manner suitable for release to the public, but this certainly requires specific skills inside the CSIRT not readily available in most. In any case, if a CSIRT communicates with the media, it must take great care to simplify the technical issues as much as possible and leave out all confidential information.", "meta": { - "outcome": "Factual information providing a clear summary of the ongoing information security incident is developed including steps to be taken by potential victims or outlining the chosen response strategy to recover from the information security incident. 6.6 Service: Crisis management support Purpose: Provide expertise and contacts to other security experts, CSIRTs, and CSIRT communities in order to help mitigate the crisis. Description: While today’s information security incidents rarely constitute an organizational or national crisis, they have the potential to do so. But the response to a crisis is usually associated with an emergency that threatens the well-being of humans and society at large, or at least the existence of an organization. As it is established in crisis management, a high-ranking role will take over the responsibility of a crisis, thereby changing the usual line of command for the duration of the emergency. As the systems and networks might contribute to emergencies or are required to be available to respond to a crisis situation, a CSIRT will usually be a critical resource for managing such situations and provide valuable experience but also the established services and networks of points of contacts. Outcome: The crisis management team can use the CSIRT’s resources to address the cyber security aspects of the current crisis. At the same time, the CSIRT’s communication resources can be utilized to reach out to constituents and external parties to ask for specific support actions or help. It can also be used to communicate in a trusted way towards constituents, using established communication means and trusted networks. The following functions are considered to be part of the implementation of this service: Information distribution to constituents\nInformation security status reporting\nStrategic decisions communication", + "outcome": "Factual information providing a clear summary of the ongoing information security incident is developed including steps to be taken by potential victims or outlining the chosen response strategy to recover from the information security incident.", "purpose": "Engage with the (public) media to be able to provide accurate and easy-to-understand factual information about ongoing events to avoid the spread of rumors and misleading information." }, "related": [ @@ -644,7 +644,7 @@ { "description": "Informing other entities in a timely manner about the impact caused by the crisis on currently open information security incidents provides a clear understanding of what support can also be provided by the CSIRT during the duration of the crisis, and makes sure that entities understand what to expect. It also makes sure that other parties stop their support or interaction with the CSIRT as they might believe that the crisis is taking over. As the crisis management team may decide to postpone the response to an actual information security incident due to a crisis, such decisions need to be communicated to all entities currently informed and participating. This is to avoid misunderstandings and further issues that may also lead to a loss of trust in the CSIRT and/or host organization.", "meta": { - "outcome": "Information of the crisis impact on the CSIRT operation is distributed to constituents and other entities involved with responding to open information security incidents. The expectations of the CSIRT towards such entities are clearly described and ensure that the information needs of the CSIRT are clearly communicated. 7 Service Area: Vulnerability Management The Vulnerability Management Service Area includes services related to the discovery, analysis, and handling of new or reported security vulnerabilities in information systems. The Vulnerability Management Service Area also includes services related to the detection of and response to known vulnerabilities in order to prevent them from being exploited. Therefore, this service area encompasses services related to both new and known vulnerabilities. Although the term “vulnerability management” is sometimes used to refer to the process of simply preventing known vulnerabilities from being exploited (e.g., “scan and patch”), in this CSIRT Services Framework, those activities are considered as functions and sub-functions under a service called Vulnerability Response, which is just one possible service that a CSIRT might provide. For many CSIRTs, those vulnerability response functions are the responsibility of other roles that scan for and remediate security vulnerabilities. The following services are considered offerings of this service area: Vulnerability discovery / research\nVulnerability report intake\nVulnerability analysis\nVulnerability coordination\nVulnerability disclosure\nVulnerability response Few CSIRTs will provide all of these services, but instead will provide only those services in their realm of responsibility. For example, a CSIRT may limit its services to learning of a new vulnerability from public sources (Vulnerability Discovery/Research) or from third parties (Vulnerability Report Intake) and then issue a security advisory to its constituents (Vulnerability Disclosure) when needed, without necessarily participating in any coordination efforts with product vendors or others who develop a solution (Vulnerability Coordination), or being involved in directly deploying a fix (Vulnerability Response). 7.1 Service: Vulnerability discovery / research Purpose: Find, learn of, or search for new (previously unknown) vulnerabilities; vulnerabilities can be discovered by members of the vulnerability management service area or through other related CSIRT activities Description: Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists6), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability. Outcome: This service results in an increased discovery of potential vulnerabilities that were not reported directly to the CSIRT. The following functions are considered to be part of the implementation of this service: Incident response vulnerability discovery \nPublic source vulnerability discovery \nVulnerability research These functions may be services (or functions) performed by others (e.g., researchers, vendors, PSIRTs, or third-party specialists) instead of the CSIRT.", + "outcome": "Information of the crisis impact on the CSIRT operation is distributed to constituents and other entities involved with responding to open information security incidents. The expectations of the CSIRT towards such entities are clearly described and ensure that the information needs of the CSIRT are clearly communicated.", "purpose": "Inform other entities in a timely manner about the impact caused by the crisis on currently open information security incidents." }, "related": [ @@ -689,7 +689,7 @@ { "description": "This function includes the discovery of new vulnerabilities as a result of specific CSIRT activities, such as the testing of systems or software using fuzz testing (fuzzing), or through the reverse engineering of malware. This function may also receive input from the service(s) of the Information Security Incident Management service area or the Situational Awareness service area that would initiate this function to look for suspected vulnerabilities. The discovery of a new vulnerability as a result of this vulnerability research function may become input to the Incident Response service, Vulnerability Detection function (see sub-functions for Vulnerability Scanning and Vulnerability Penetration Testing).", "meta": { - "outcome": "New vulnerabilities are identified through research. 7.2 Service: Vulnerability report intake Purpose: Receive and process vulnerability information reported from constituents or third parties. Description: One of the primary sources of vulnerability information may be reports or questions sent from a CSIRT’s constituents or other third parties. The CSIRT should anticipate that vulnerabilities may be reported from these various sources, and provide a mechanism, a process, and guidance for vulnerability reporting. Reporting infrastructures may include email or a web-based vulnerability reporting form. Not all vulnerabilities are reported directly to a CSIRT by constituents or third parties through the established channels. Supporting guidance should include reporting guidelines, contact information, and any disclosure policies. To enable constituents to report vulnerabilities more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report vulnerabilities. Reporting mechanisms can include email, a website, a dedicated vulnerability reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of a vulnerability reporting form itself, should be provided in separate documentation or via a web page, and should list the specific information that is desirable to be included in the report. Outcome: The vulnerability report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Vulnerability report receipt\nVulnerability report triage and processing", + "outcome": "New vulnerabilities are identified through research.", "purpose": "Discover or search for new vulnerabilities as a result of deliberate activities or research." }, "related": [ @@ -719,7 +719,7 @@ { "description": "Vulnerability Reports are reviewed and triaged to obtain an initial understanding of the vulnerability in question and determine what to do next (e.g., process the vulnerability for further analysis, seek additional information from the reporter or other sources, decide that the vulnerability needs no further action). Depending on the amount of detail and quality of the information provided in the vulnerability report, it may or not be obvious whether a new vulnerability exists. Unless there is a reason to decline a vulnerability report, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling. If the CSIRT does not provide a Vulnerability Analysis service, then the report should be securely forwarded to an external group for handling, such as the affected vendor(s), PSIRT(s), or a vulnerability coordinator.", "meta": { - "outcome": "Available information is identified to determine what to do next. The following sub-functions are considered to be part of the implementation of this service: Process reports and submitted data including artefacts or materials in isolation to protect the integrity of the working environment and avoid successful attacks on the CSIRT by such means.\nUpdate acknowledgement of reports by providing some feedback on further steps based on categorization or prioritization results available.\nMerge new information about a vulnerability already being handled with the available data to allow consistent analysis and processing. 7.3 Service: Vulnerability analysis Purpose: Analyze and gain understanding of a confirmed vulnerability. Description: The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability. The Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD)7 process. Outcome: Knowledge of the key details of a vulnerability (e.g., description, impact, resolution) is increased.\nThe following functions are considered to be part of the implementation of this service: Vulnerability triage (validation and categorization)\nVulnerability root cause analysis\nVulnerability remediation development", + "outcome": "Available information is identified to determine what to do next. The following sub-functions are considered to be part of the implementation of this service: Process reports and submitted data including artefacts or materials in isolation to protect the integrity of the working environment and avoid successful attacks on the CSIRT by such means.\nUpdate acknowledgement of reports by providing some feedback on further steps based on categorization or prioritization results available.\nMerge new information about a vulnerability already being handled with the available data to allow consistent analysis and processing.", "purpose": "Initially review, categorize, prioritize, and process a vulnerability report." }, "related": [ @@ -764,7 +764,7 @@ { "description": "This function will ideally identify a remediation or a fix for a vulnerability. If a vendor patch or fix is not available in a timely manner, a temporary solution or workaround, called a mitigation, may be recommended, such as disabling the affected software or making configuration changes, to minimize the potential negative effects of the vulnerability. Note that the actual application or deployment of a remediation (patch) or mitigation (workaround) is a function of a separate service, called Vulnerability Response in this framework. As part of the Vulnerability Analysis service and Remediation Development, this function may optionally include other sub-functions or activities, such as validating the changing of a procedure or design, reviewing remediation by a third party, or identifying any new vulnerabilities introduced in the remediation steps. Vulnerabilities that are not remediated or mitigated should be documented as acceptable risks. This function will often receive information or input from the affected product’s vendor(s), sometimes as part of the initial report or announcement handled by other services or functions.", "meta": { - "outcome": "A plan is established to change (patch) the software code, implement a workaround, or to improve processes, infrastructures, and/or designs to close the specific attack vector and to prevent the vulnerability from being exploited.\nThe following sub-functions are considered to be part of this function: Vulnerability remediation/patch development\nVulnerability mitigation development This function is typically performed by other entities (e.g., product vendors, PSIRTs). 7.4 Service: Vulnerability coordination Purpose: Exchange information and coordinate the activities with participants involved in a coordinated vulnerability disclosure (CVD) process. Description: The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including vulnerability finders/reporters, affected vendors, developers, PSRITs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability. Outcome: Information sharing with CVD participants who can assist in providing information to remediate/mitigate the vulnerability is effective and timely. The following functions are considered to be part of the implementation of this service: Vulnerability notification/reporting\nVulnerability stakeholder coordination", + "outcome": "A plan is established to change (patch) the software code, implement a workaround, or to improve processes, infrastructures, and/or designs to close the specific attack vector and to prevent the vulnerability from being exploited.\nThe following sub-functions are considered to be part of this function: Vulnerability remediation/patch development\nVulnerability mitigation development This function is typically performed by other entities (e.g., product vendors, PSIRTs).", "purpose": "Develop the steps necessary to fix (remediate) the underlying vulnerability or mitigate (reduce) the effects of the vulnerability from being exploited." }, "related": [ @@ -794,7 +794,7 @@ { "description": "Coordinate the exchange of information among the finders/researchers, vendors, PSIRTS, and any other participants in the coordinate vulnerability disclosure (CVD) efforts to analyze and fix the vulnerability and prepare for the disclosure of the vulnerability. This coordination should also include agreement by participants on the timing and synchronization of the disclosure.", "meta": { - "outcome": "Vulnerability information is more effectively, timely, and responsibly shared among participants who can develop or announce a remediation/mitigation solution. The following sub-functions are considered to be part of this function: Vulnerability publication development 7.5 Service: Vulnerability disclosure Purpose: Disseminate information about known vulnerabilities to constituents so that they can act upon that information to prevent, detect, and remediate/mitigate known vulnerabilities. Description: Inform the constituents of any known vulnerabilities (potential entry points for attackers), so that their systems can be kept up to date and monitored for exploits. Disclosure methods may include publication of information through multiple communication channels (e.g., website, email, social media), a vulnerability database, or other media. This service often, but not always, occurs following Vulnerability Coordination. Outcome: Informed constituents can avoid the potential exploitation of known vulnerabilities prior to exploitation and can detect and mitigate vulnerabilities that already exist. The following functions are considered to be part of the implementation of this service: Vulnerability disclosure policy and infrastructure maintenance\nVulnerability announcements/communication/dissemination\nPost-vulnerability disclosure feedback", + "outcome": "Vulnerability information is more effectively, timely, and responsibly shared among participants who can develop or announce a remediation/mitigation solution. The following sub-functions are considered to be part of this function: Vulnerability publication development", "purpose": "Conduct follow-on coordination and sharing of information among the various stakeholders and participants involved in coordinated vulnerability disclosure (CVD) efforts." }, "related": [ @@ -839,7 +839,7 @@ { "description": "Following the disclosure of a new vulnerability, CSIRTs can expect to receive follow-on communications in the form of questions from some constituents about a vulnerability document. The questions may indicate a need for clarification, revision, or amendment of the vulnerability disclosure mechanism, if warranted. Information from constituents may simply be an acknowledgement or receipt of the vulnerability document, or the constituent may report an issue or difficulty in deploying the suggested remediation/mitigation. If the vulnerability was determined to have been already exploited, constituents may be reporting newly discovered incidents as a result of the vulnerability disclosure. Such reports should feed into the functions of the CSIRT’s Incident Reporting service.", "meta": { - "outcome": "Any questions or requests for assistance are responded to in a timely manner following a vulnerability disclosure. 7.6 Service: Vulnerability response8 Purpose: Actively take information about known vulnerabilities and act upon that information to prevent, detect, and remediate/mitigate those vulnerabilities. Description: The functions under this service are intended to determine whether a disclosed vulnerability exists on a constituent’s systems, often through the intentional act of looking for the presence of such vulnerabilities. The service can also include the follow-on actions to remediate or mitigate the vulnerability through the deployment of patches or workaround strategies. Outcome: Information was acted upon in order to detect the presence of a vulnerability, remediate/mitigate a disclosed vulnerability, and prevent the vulnerability from being exploited. The following functions are considered to be part of the implementation of this service: Vulnerability detection / scanning\nVulnerability remediation This Vulnerability Response service and its related functions are usually performed by other specialized groups within an organization, typically not the CSIRT. This service is also unlikely to be provided by a Coordinating CSIRT.", + "outcome": "Any questions or requests for assistance are responded to in a timely manner following a vulnerability disclosure.", "purpose": "Receive and respond to questions or reports from constituents about a vulnerability disclosure or document." }, "related": [ @@ -854,12 +854,12 @@ { "description": "The goal of this function is to detect any previously unpatched or unmitigated vulnerabilities before they are exploited or impact the network or devices. This function may be initiated in response to an announcement about a new vulnerability, or it may be achieved as part of a periodically scheduled scan for known vulnerabilities. In order to provide vulnerability detection effectively, it is useful to have a systems inventory. Having such an inventory that can be queried for software version information can enable an organization to quickly assess the likely prevalence of a newly reported vulnerability in its infrastructure.", "meta": { - "outcome": "Exposure to the threat of a vulnerability being exploited is prevented or reduced. The following sub-functions are considered to be part of this function: Vulnerability remediation (patch management)\nVulnerability mitigation This function is typically performed by others (e.g., IT, SOC, system owners), not the CSIRT. 8 Service Area: Situational Awareness Situational Awareness comprises the ability to identify, process, comprehend, and communicate the critical elements of what is happening in and around the CSIRT’s area of responsibility that may affect the operation or mission of its constituency. Situational awareness includes being aware of the current state, and identifying or anticipating potential changes to that state. This service area includes determining how to gather relevant information from different areas, how to integrate that information, and how to disseminate it in a timely manner to help constituents make more informed decisions. Some organizations may establish a separate team to provide Situational Awareness, but for others, the CSIRT team provides this function based on its visibility, understanding of context, technical capabilities, access to assets, external connections, and mission to prevent incidents. Situational awareness is not solely focused on responding to incidents, it is a service that ensures that data, analysis, and actions are available to other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also ensures that information coming from those other services areas is properly integrated together and delivered back to appropriate constituents in a timely manner. The following services are offerings of this service area: Data acquisition\nAnalysis and synthesis\nCommunication 8.1 Service: Data acquisition Purpose: Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture. Description: Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information. Outcome: The following artefacts result from this service: a set of data collection requirements that identifies situational awareness needs, and then maps those requirements to the types of information to be collected in order to meet those objectives\ninformation about the current and expected future status of constituency assets and activities\ninformation about external events or trends that provides insight into the constituency’s surroundings and current environment, including new technologies, methods, practices, risks, and threats \nproperly formatted information readied for analysis and detection activities The following functions are considered to be part of the implementation of this service: Policy aggregation, distillation, and guidance\nAsset mappings of assets to functions, roles, actions, and key risks\nCollection\nData processing and preparation", + "outcome": "Exposure to the threat of a vulnerability being exploited is prevented or reduced. The following sub-functions are considered to be part of this function: Vulnerability remediation (patch management)\nVulnerability mitigation This function is typically performed by others (e.g., IT, SOC, system owners), not the CSIRT.", "purpose": "Actively engage in searching for the presence of known vulnerabilities in deployed systems." }, "related": [ { - "dest-uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", + "dest-uuid": "8b6e3cc9-2f15-5502-9cbb-0a4c1aaf59d6", "type": "part-of" } ], @@ -869,12 +869,12 @@ { "description": "Vulnerability remediation is intended to resolve or eliminate a vulnerability. For software vulnerabilities, this typically occurs through the deployment and installation of vendor-provided solutions in the form of software updates or patches. When approved patches are unavailable or cannot be deployed, an alternative mitigation or workaround may be applied as a countermeasure to prevent exploitation of the vulnerability. This function often follows a positive identification of a vulnerability as the result of the Vulnerability Detection/Scanning/Hunting function.", "meta": { - "outcome": "Exposure to the threat of a vulnerability being exploited is prevented or reduced. The following sub-functions are considered to be part of this function: Vulnerability remediation (patch management)\nVulnerability mitigation This function is typically performed by others (e.g., IT, SOC, system owners), not the CSIRT. 8 Service Area: Situational Awareness Situational Awareness comprises the ability to identify, process, comprehend, and communicate the critical elements of what is happening in and around the CSIRT’s area of responsibility that may affect the operation or mission of its constituency. Situational awareness includes being aware of the current state, and identifying or anticipating potential changes to that state. This service area includes determining how to gather relevant information from different areas, how to integrate that information, and how to disseminate it in a timely manner to help constituents make more informed decisions. Some organizations may establish a separate team to provide Situational Awareness, but for others, the CSIRT team provides this function based on its visibility, understanding of context, technical capabilities, access to assets, external connections, and mission to prevent incidents. Situational awareness is not solely focused on responding to incidents, it is a service that ensures that data, analysis, and actions are available to other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also ensures that information coming from those other services areas is properly integrated together and delivered back to appropriate constituents in a timely manner. The following services are offerings of this service area: Data acquisition\nAnalysis and synthesis\nCommunication 8.1 Service: Data acquisition Purpose: Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture. Description: Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information. Outcome: The following artefacts result from this service: a set of data collection requirements that identifies situational awareness needs, and then maps those requirements to the types of information to be collected in order to meet those objectives\ninformation about the current and expected future status of constituency assets and activities\ninformation about external events or trends that provides insight into the constituency’s surroundings and current environment, including new technologies, methods, practices, risks, and threats \nproperly formatted information readied for analysis and detection activities The following functions are considered to be part of the implementation of this service: Policy aggregation, distillation, and guidance\nAsset mappings of assets to functions, roles, actions, and key risks\nCollection\nData processing and preparation", + "outcome": "Exposure to the threat of a vulnerability being exploited is prevented or reduced. The following sub-functions are considered to be part of this function: Vulnerability remediation (patch management)\nVulnerability mitigation This function is typically performed by others (e.g., IT, SOC, system owners), not the CSIRT.", "purpose": "Remediate or mitigate vulnerabilities to prevent them from being exploited, typically through the timely application of vendor-provided patches or other solutions." }, "related": [ { - "dest-uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", + "dest-uuid": "8b6e3cc9-2f15-5502-9cbb-0a4c1aaf59d6", "type": "part-of" } ], @@ -929,7 +929,7 @@ { "description": "Data processing and preparation includes transformation, processing, normalization, and validation of a set of data. Sources of cybersecurity data need to be validated for accuracy often due to a high number of false positives. The relevant data also typically comes in different formats, and new data needs to be combined with historical data before a complete analysis can be performed. Some types of data (such as news articles) may need to be analyzed or processed as part of the preparation process. One example would be extracting relevant security information from a news article (e.g., names, dates, places, technical information, weaknesses, system names) and comparing it with internal data for potential impacts. Some analysis methods require data to be stored in the same format, or for files to have the same number of records. There are multiple processing steps that may be involved to prepare the data. Data augmentation (also called enrichment) is performed by including other available information related to a given piece of data from other internal and external sources. For example, teams may collect information related to internet protocol addresses (IP addresses) such as autonomous system identifiers, country codes, or geo-location data. For internal asset information, teams may enrich their asset inventory data with the name of the asset owner, their role, their permissions on other assets, their physical working location over time, and more.", "meta": { - "outcome": "Data is available and ready to be used by other services or functions. 8.2 Service: Analysis and synthesis Purpose: Assess when the situation does not match with expectations (e.g., when specific assets may be about to experience a harmful event). Description: The process of using current data, history, and analysis techniques to determine what is occurring that may impact the constituency assets and security posture, often done by determining an answer to a question or testing an intuition. Analysis may reveal when events do not match typical expected behavior, or may reveal information about the circumstance, nature, or origin of events or behaviors. Analysis may reveal implications to current and future situations. For example: a system may log that a user ID successfully logged into the system, but the system does not indicate whether the event was performed by a legitimate user. New sources (such as interviews with the user) will need to be incorporated into the analysis to provide the team with a more accurate picture to determine the legitimacy of the event. A variety of techniques may be used to analyze and interpret the collected data and its effect upon the constituency. Outcome: A set of conclusions about the probable historical, current, and/or likely future events within a constituency is produced. It may also include recommendations about certain decisions that a constituency is facing. Analysis should be supported by evidence such as observation data collected from sensors and other sources and the interpretation of that evidence by analysts through a variety of methods. The analysis may also include constituents that need to be told about the results, and what they need to be told. The following functions are considered to be part of the implementation of this service: Projection and inference\nEvent detection (through alerting and/or hunting)\nSituational impact", + "outcome": "Data is available and ready to be used by other services or functions.", "purpose": "Establish a reliable, consistent, and current set of data that can support CSIRT activities and the requirements of the analysis service." }, "related": [ @@ -989,7 +989,7 @@ { "description": "This function identifies the impact a projection or inference may have upon a current or near-term future situation. An impact may include raising or lowering certain risks such as data loss, system downtime, or effects on data confidentiality/availability/integrity.", "meta": { - "outcome": "An analysis is produced of the likely possible impact that an inference or projection may have upon a situation. 8.3 Service: Communication Purpose: Notify constituents or others in the security community about changes in risks to the situational picture. Description: The knowledge obtained from situational awareness must be communicated to the constituency. This will allow it to react to observations and to take actions that will improve defensive situations, e.g., reducing third-party risk by improving the security environment at certain high-risk suppliers. Outcome: Accurate, actionable, and timely situational information is delivered to constituency so they can better understand their past and improve their current and future situational picture. The following functions are considered to be part of the implementation of this service: Internal and external communication\nReporting and recommendations\nImplementation \nDissemination / integration / information sharing\nManagement of information sharing", + "outcome": "An analysis is produced of the likely possible impact that an inference or projection may have upon a situation.", "purpose": "Determine the expected potential impact of a given observation or possible observation to a situational picture." }, "related": [ @@ -1079,7 +1079,7 @@ { "description": "This function involves providing and receiving feedback on information provided, received, and used by the constituency, other service providers or other stakeholders. Was the information received accurate, applicable, timely, strategic, new/novel, etc.? Was it helpful in resolving an investigation? Did it lead to a new insight? This may mean providing information also to other CSIRT (as an external source) on the usefulness of or changes to signatures, honeypot findings, IOCs, warnings, threat information, mitigations, etc. This activity may also be performed by the Knowledge Transfer service area. If so, the results should be communicated back to the Situational Awareness service area.", "meta": { - "outcome": "Observations and feedback is provided to internal and external sources in order to improve the accuracy, timeliness, quality, and usefulness of information received. 9 Service Area: Knowledge Transfer Through the nature of their services CSIRTs, are in a unique position to collect relevant data, perform detailed analysis, and identify threats, trends, and risks, as well as to create best current operational practices to help organizations to detect, prevent, and respond to security incidents. Transferring this knowledge to their constituents is key to improving overall cybersecurity. The following services are considered as offerings of this particular service area: Awareness building\nTraining and education\nExercises\nTechnical and policy advisory 9.1 Service: Awareness building Purpose: Increase the overall security posture of the constituency and help its members to detect, prevent, and recover from incidents; ensure that constituents are better prepared and educated. Description: This service includes working with the constituency, experts, and trusted partners to raise the collective understanding of threats and actions that can be taken to prevent or mitigate the risks posed by these threats. Outcome: The constituency is provided with the necessary awareness of: events, activities, and trends that may affect its ability to operate in a timely and secure manner\nsteps to take to detect, prevent and mitigate threats and malicious activity\nsecurity and operational best practices The following functions are considered to be part of the implementation of this service: Research and information aggregation\nReport and awareness materials development\nInformation dissemination\nOutreach", + "outcome": "Observations and feedback is provided to internal and external sources in order to improve the accuracy, timeliness, quality, and usefulness of information received.", "purpose": "Improve the quality, timeliness, accuracy, and relevance of the data being received from internal and external sources." }, "related": [ @@ -1139,7 +1139,7 @@ { "description": "This function involves building partnerships, promoting cooperation, and engaging key stakeholders, internal or external to the constituency, with the goal of: disseminating awareness and best practices; helping the constituency and external stakeholders understand the services and benefits a CSIRT can provide; helping the CSIRT to better understand constituents’ needs; and enabling the realization of CSIRT’s mission. This may involve ensuring interoperability or fostering collaboration between or across organizations.", "meta": { - "outcome": "Active and consistent outreach activities are performed that may include, but are not limited to, meeting with key stakeholders, participating in sector meetings, presenting at conferences, and organizing conferences. 9.2 Service: Training and education Purpose: Provide training and education to a CSIRT constituency (which may include organizational and CSIRT staff) on topics related to cybersecurity, information assurance and incident management. Description: A training and education program can help the CSIRT to establish relationships and to improve the overall cybersecurity posture of its constituency, including the ability to prevent future incidents from happening. Such a program can help maintain user awareness\nhelp the constituency understand the changing landscape and threats\nfacilitate information exchange between the CSIRT and its constituency\ntrain the constituency on tools, processes and procedures related to security and incident management. This can be done through various types of activities including documenting the knowledge, skills, and abilities (KSAs) required, developing educational and training materials, delivering content, mentoring, and professional and skill development. Each of these activities will collectively contribute to the constituency’s and the team’s capabilities. Outcome: A consistent training and education program is provided that enables the CSIRTs’ constituency to appropriately acquire methods to detect, prevent or respond to threats\ntools and practices to help protect critical assets\nunderstanding about incident management processes and how to get assistance The following functions are considered to be part of the implementation of this service: Knowledge, skill, and ability requirements gathering \nEducational and training materials development\nContent delivery\nMentoring\nCSIRT staff professional development", + "outcome": "Active and consistent outreach activities are performed that may include, but are not limited to, meeting with key stakeholders, participating in sector meetings, presenting at conferences, and organizing conferences.", "purpose": "Develop and maintain relationships with experts or organizations that may help or be part of the execution of the mission of the CSIRT." }, "related": [ @@ -1214,7 +1214,7 @@ { "description": "Once the appropriate skills have been identified, professional development is used by a CSIRT to promote a continuous process of securing new knowledge, skills, and abilities that relate to the security profession, unique job responsibilities, and the overall Team environment. This can include attending conferences, advanced training, and cross-training activities, among others.", "meta": { - "outcome": "Developed and trained staff are available with the requisite technical and soft skills and process understanding, and who are up to date based on the job roles and needs. CSIRT members are ready to address the daily operational challenges, supporting both the team and its customers. 9.3 Service: Exercises Purpose: Conduct exercises to assess and improve the effectiveness and efficiency of cybersecurity services and functions. Description: Services are offered by the organization to constituents that support the design, execution, and evaluation of cyber exercises intended to train and/or evaluate the capabilities of individual constituents and the stakeholder community as a whole, including communications capabilities. These types of exercises can be used to test policies and procedures: assess whether there are sufficient policies and procedures in place to effectively detect, respond and mitigate incidents. This is, generally, a paper/table-top exercise.\ntest operational readiness: assess whether the organization has an incident management capability that is able to detect, respond to and mitigate incidents in a timely and successful manner, as well as to test whether the right people are in place, directories are up-to-date, and if procedures are executed correctly. This service addresses both the needs of the organization and the needs of its constituents. More specifically, through the simulation of cybersecurity events/incidents, exercises can be used for one or several objectives: Demonstrate: Illustrate cybersecurity services and functions, as well as vulnerabilities, threats, and risks, in order to raise awareness.\nTrain: Instruct staff on new tools, techniques, and procedures:\n\nExercise: Provide an opportunity for staff to use tools, techniques, and procedures they are expected to be knowledgeable about. Exercising is necessary for perishable skills and helps improve and maintain efficiency.\nAssess: Analyze and understand the level of effectiveness and efficiency of cybersecurity services and functions, as well as the level of staff preparedness.\nVerify: Determine whether a specified level of effectiveness and/or efficiency can be achieved for cybersecurity services and functions. Outcome: The effectiveness and efficiency of cybersecurity services and functions is improved and opportunities for further improvements are identified. Depending on the specific objective(s) of an exercise, cybersecurity may also be demonstrated to internal or external stakeholders, staff can be trained, and the efficiency and effectiveness of tools, services, and functions can be assessed and/or verified. Lessons for improving future exercises can also be identified and a report delivered to management or other key stakeholders. The following functions are considered to be part of the implementation of this service: Requirements analysis\nFormat and environment development\nScenario development\nExercises execution\nExercise outcome review", + "outcome": "Developed and trained staff are available with the requisite technical and soft skills and process understanding, and who are up to date based on the job roles and needs. CSIRT members are ready to address the daily operational challenges, supporting both the team and its customers.", "purpose": "Help staff members successfully and appropriately plan and develop their careers." }, "related": [ @@ -1289,7 +1289,7 @@ { "description": "Develop an after-action report which includes lessons learned or findings/best practices from the exercise, and provide an assessment to the stakeholders/management.", "meta": { - "outcome": "Deliverables are created highlighting the success of the exercise, areas for improvement, general findings, and recommended actions to take in order to improve: the organization incident management capabilities, the CSIRT’s team processes, and the capabilities of individual constituents and of the stakeholder community as a whole, including communications capabilities and procedures. 9.4 Service: Technical and policy advisory Purpose: Ensure the constituency’s policies and procedures include appropriate incident management considerations and, ultimately, enable the constituency to better manage risks and threats, as well as enabling the CSIRT to be more effective. Description: Support the CSIRT constituency and key stakeholders, internal or external to the constituency, in activities related to risk management and business continuity, providing technical advice as needed and contributing to the creation and implementation of the constituency’s policies, as well as influencing them to enable the CSIRT to be more effective. Policies are also important in legitimizing the services of a CSIRT. Outcome: A constituency is enabled to make organizational decisions based on operational security best practices that incorporate business continuity and disaster recovery best practices, while also understanding the need of including incident management teams, as trusted advisors, in business decisions where appropriate. The following functions are considered to be part of the implementation of this service: Risk management support\nBusiness continuity and disaster recovery planning support\nPolicy support\nTechnical advice", + "outcome": "Deliverables are created highlighting the success of the exercise, areas for improvement, general findings, and recommended actions to take in order to improve: the organization incident management capabilities, the CSIRT’s team processes, and the capabilities of individual constituents and of the stakeholder community as a whole, including communications capabilities and procedures.", "purpose": "Perform a formal and objective analysis of the exercise, based on factual observations." }, "related": [ @@ -1349,7 +1349,7 @@ { "description": "This function provides support and recommendations for the improvement of cybersecurity related infrastructures, tools, and services for its constituency, with the goal of improving the security posture and incident management overall. This might include advice on security considerations for acquisition, compliance verification, maintenance, and upgrades\ninternal and external audits of cybersecurity related infrastructures and tools\nsecure software development requirements and secure coding", "meta": { - "outcome": "Support is provided to design, acquire, manage, operate and maintain the constituency’s infrastructure and systems and tools, as well as assist in building the capability, capacity, and maturity of incident management activities. ANNEX 1: Acknowledgments The following volunteers from the CSIRT communities contributed significantly to this version of the CSIRT Services Framework. They have been listed in alphabetical order by their last name, without title but with affiliation, role, and country: Vilius Benetis, NRD CIRT (LT)\nOlivier Caleff (Service Area Coordinator), openCSIRT Foundation (FR)\nCristine Hoepers (Service Area Coordinator), CERT.br (BR) \nAngela Horneman, CERT/CC, SEI, CMU (US) \nAllen Householder, CERT/CC, SEI, CMU (US) \nKlaus-Peter Kossakowski (Editor), Hamburg University of Applied Sciences (DE)\nArt Manion, CERT/CC, SEI, CMU (US)\nAmanda Mullens (Co-Service Area Coordinator), CISCO (US)\nSamuel Perl (Service Area Coordinator), CERT/CC, SEI, CMU (US)\nDaniel Roethlisberger (Service Area Coordinator), Swisscom (CH) \nSigitas Rokas, NRD CIRT (LT) \nMary Rossell, Intel (US)\nRobin M. Ruefle (Co-Service Area Coordinator), CERT/CC, SEI, CMU (US)\nDésirée Sacher, Finanz Informatik (DE) \nKrassimir T. Tzvetanov, Fastly (US) \nMark Zajicek (Co-Service Area Coordinator), CERT/CC, SEI, CMU (US)\n \nANNEX 2: Terms and Definitions This section defines certain terms used in the CSIRT Services Framework. Action- The description of how something is done at varying levels of detail.\n\n\nAdvisory9- An announcement or bulletin that serves to inform, advise, and warn about the vulnerability of a product. \n\n\nCapability- A measurable activity that may be performed as part of an organization’s roles and responsibilities. For the purposes of the FIRST services framework, the capabilities can either be defined as the broader services or as the requisite functions.\n\n\nCapacity- The number of simultaneous process-occurrences of a particular capability that an organization can execute before they achieve some form of resource exhaustion.\n\n\nCommon Vulnerability Exposures (CVE)10- A list of entries containing an identification number, a description, and at least one public reference for publicly known vulnerabilities. Serves as a standard identifier to reference vulnerabilities. \n\n\nCommon Vulnerability Scoring System (CVSS)11- A numerical score that reflects a vulnerability’s severity. \n\n\nCommon Weakness Enumeration (CWE)12- A formal list of software weakness types created to serve as a common language for describing software security weakness in architecture, design, or code; serve as a standard measuring stick for software security tools targeting these weaknesses; and provide a common baseline standard for weakness identification, mitigation, and prevention efforts. \n\n\nConstituency- A specific group of people and/or organizations that have access to a specific set of services offered by a CSIRT.\n\n\nContextual Data Source- A source of contextual data that gives context to data points, for example to an identity, an asset, or an information security event. Specific examples include user databases, asset inventories, IP repudiation services, or threat intelligence data.\n\n\nCoordinated vulnerability disclosure- A term used to denote a disclosure process that includes coordination. Source: ISO/IEC 29147:2018, Terms and definitions.\n\n\nCoordinator13- An optional participant who can assist vendors and finders in handling and disclosing vulnerability information. \n\n\nDetection Use Case- A specific condition to be detected by an Information Security Event Management service area. The terminology originates in software engineering, but is now widely used in detection engineering.\n\n\nEmbargo- A hold on the publication of vulnerability details until affected vendors are able to release security updates or mitigations and workarounds to protect customers.\n\n\nFinder14- An individual or organization that identifies a potential vulnerability in a product or online service. Please note that finders can be researchers, reporters, security companies, hackers, users, governments, or coordinators.\n\n\nFunction- An activity or set of activities aimed at fulfilling the purpose of a particular service. Other definitions include: a group of related actions15; to perform a specified action or activity, work, operate.16\n\n\nInformation Security Event- An observable event in an IT environment that is relevant to security; for example, a user logon or an IDS alert. Information security events typically produce some kind of evidence, such as an audit record or an entry in a log file, that can be collected and analyzed as part of the Information Security Event Management service area.\n\n\nInformation Security Incident17- Any adverse information security event (or set of information security events) which indicates a compromise of some aspect of user, system, organization, and/or network information security. The definition of an information security incident may vary between organizations, but at least the following categories are generally applicable:\n\nLoss of confidentiality of information\nCompromise of integrity of information\nDenial of service\nMisuse of service, systems or information\nDamage to systems\n\nAttacks, even if they failed because of proper protection, can be regarded as information security incident.\n\n\nKey Performance Indicator (KPI)18- A measurable value that demonstrates how effectively a company is achieving key business objectives. Organizations use KPIs at multiple levels to evaluate their success at reaching targets.\n\n\nMaturity- How effectively an organization executes a particular capability within the mission and authorities of the organization. It is a level of proficiency attained either in executing specific functions or in an aggregate of functions or services. The ability of an organization will be determined by the extent and quality of established policies and documentation and the ability to execute a set process.\n\n\nOpen Source- Works that are licensed in such a way that they may be freely redistributed and modified, where the source code is made available publicly, and is freely distributed and does not discriminate against any persons, groups, or fields of endeavor, and is technology-neutral. Open source software is often maintained by a community of individuals and entities who collaboratively create and maintain it.\n\n\nProduct19- A system implemented or developed for sale or to be offered for free.\n\n\nRemediation (or Remedy)20- A change made to a product or online service to remove or mitigate a vulnerability. A remediation typically takes the form of a binary file replacement, configuration change, or source code patch and recompile. Different terms used for “remediation” include patch, fix, update, hotfix, and upgrade. Mitigations are also called workarounds or countermeasures.\n\n\nResponsible Disclosure- A term which is used to refer to a process or model where a vulnerability is disclosed only after a period of time that allows a remediation (fix or patch) to be made available. This term is not necessarily the same as “coordinated vulnerability disclosure.”\n\n\nRisk21- The “effect of uncertainty on objectives.” In this definition, uncertainties include events (which may or may not happen) and uncertainties caused by ambiguity or a lack of information.\n\n\nRisk Acceptance22- A risk response strategy whereby the project team decides to acknowledge the risk and not take any action unless the risk occurs.\n\n\nRisk Register23- A document in which the results of risk analysis and risk response planning are recorded.\n\n\nService- A service is a set of recognizable, coherent functions towards a specific result. Such results might be expected or required by constituents or on behalf of or for the stakeholder of an entity. \n\n\nService Level Agreement (SLA)- A contract between a service provider (either internal or external) and the end user that defines the level of service expected from the service provider. \n\n\nStakeholders24- Individuals or groups that define and modify the service areas or services and ensure an appropriate service communication strategy and groups who can benefit from services offered. \n\n\nTasks- the list of actions that must be performed to complete a specific function.\n\n\nVendor25- A person or organization that developed the product or service or is responsible for maintaining it.\n\n\nVulnerability26- A weakness in software, hardware, or an online service that can be exploited. ANNEX 3: Supporting Resources Alberts, David S., et.al. Understanding information age warfare. In DOD Command and Control Research Program Publication Series. ADA395859. Booz Allen & Hamilton, McLean, VA. 2001.\nhttps://apps.dtic.mil/docs/citations/ADA395859 Barford P., et al. (2010) Cyber SA: Situational Awareness for Cyber Defense. In: Jajodia S., Liu P., Swarup V., Wang C. (eds) Cyber Situational Awareness. Advances in Information Security, vol 46. Springer, 2010. Boston, MA. ISBN 978-1-4419-0140-8_1\nhttps://link.springer.com/chapter/10.1007/978-1-4419-0140-8_1 Boyd, John R. Destruction and Creation. Goal Systems International. September 3, 1976.\nhttp://www.goalsys.com/books/documents/DESTRUCTION_AND_CREATION.pdf Cartwright, James E. Joint Concept of Operations for Global Information Grid NetOps. United States Strategic Command. PDF August 10, 2005. Homeland Security Digital Library. August 10, 2005.\nhttps://www.hsdl.org/?view&did=685398 Committee on National Security Systems Instruction CNSSI 4009. Committee on National Security Systems Website. June 23, 2019 [accessed].\nhttps://www.cnss.gov/cnss/ Cybersecurity Situation Awareness. The MITRE Corporation Website. June 25, 2019 [accessed].\nhttps://www.mitre.org/capabilities/cybersecurity/situation-awareness Endsley, Mica R. Toward a theory of situation awareness in dynamic systems. Human factors Volume 37. Number 1. March 1995 Pages 32-64.\nhttps://journals.sagepub.com/doi/10.1518/001872095779049543 FIRST Product Security Incident Response Team (PSIRT) Services Framework, Version 1.0, 2018. North Carolina: First.org, 2018\nhttps://www.first.org/education/FIRST_PSIRT_Service_Framework_v1.0 FIRST Vulnerability Reporting and Data eXchange SIG (VRDX-SIG). 2013-2015. North Carolina: First.org, 2015\nhttps://www.first.org/global/sigs/vrdx/ Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure, Version 1.0, 2017. North Carolina: First.org, 2017\nhttps://www.first.org/global/sigs/vulnerability-coordination/multiparty/guidelines-v1.0 Hawk, Robert. Situational Awareness in Cyber Security. [blog post]. Hawk’s Posts: Security Essentials from Robert Hawk. June 11, 2015.\nhttps://www.alienvault.com/blogs/security-essentials/situational-awareness-in-cyber-security Householder, Allen D.; Wassermann, Garret; Manion, Art; King, Christopher. The CERT® Guide to Coordinated Vulnerability Disclosure. CMU/SEI-2017-SR-022. Software Engineering Institute, Carnegie Mellon University. 2017\nhttps://resources.sei.cmu.edu/library/asset-view.cfm?assetid=503330 Householder, Alan. Vulnerability Discovery for Emerging Networked Systems [blog post]. Vulnerability discovery techniques. November 20, 2014.\nhttps://insights.sei.cmu.edu/cert/2014/11/-vulnerability-discovery-for-emerging-networked-systems.html International Organization for Standardization. Information technology -- Security techniques -- Vulnerability disclosure. Second Edition. ISO/IEC 29147:2018. Geneva, Switzerland: ISO: IEC. 2018\nhttps://www.iso.org/standard/72311.html International Organization for Standardization. Information technology -- Security techniques -- Vulnerability handling processes. First Edition. ISO/IEC 30111:2013. Geneva, Switzerland: ISO: IEC. 2013\nhttps://www.iso.org/standard/53231.html Jajodia, Sushil, et al., (Eds.). Cyber Situational Awareness: Issues and Research. Part of the Advances in Information Security book series (ADIS, volume 46). 2010. ISBN 978-1-4419-0140-8\nhttps://link.springer.com/book/10.1007/978-1-4419-0140-8 Kossakowski, Klaus-Peter. Information Technology Incident Response Capabilities. Hamburg: Books on Demand, 2001. ISBN: 9783831100590. Kossakowski; Klaus-Peter & Stikvoort, Don. A Trusted CSIRT Introducer in Europe. Amersfoort, Netherlands: M&I/Stelvio, February, 2000.\nhttp://www.ti.terena.nl/process/ti-v2.pdf Manion, Art & Householder, Alan. Vulnerability Analysis. CERT Coordination Center (CERT/CC). May 30, 2019.\nhttps://vuls.cert.org/ McGuinness, B. &, Foy, L. A subjective measure of SA: The crew awareness rating scale (cars). In Kaber, D.B.; Endsley, M.R.; p. 286-291. Proceedings of the First Human Performance, situation awareness and automation conference; user-centered design for the new millennium. Savannah, Georgia, October 2000. Salerno, John; Hinman, Michael & Boulware, Douglas. Situation awareness model applied to multiple domains. In Proceedings of the Defense and Security Conference, Orlando, FL, March 2005.\nhttps://www.spiedigitallibrary.org/conference-proceedings-of-spie/5813/0000/A-situation-awareness-model-applied-to-multiple-domains/10.1117/12.603735.full?SSO=1 Stone, Steve. Data to Decisions for Cyberspace Operations. The MITRE Corporation Website. January 2016\nhttps://www.mitre.org/publications/technical-papers/data-to-decisions-for-cyberspace-operations Tadda G.P., Salerno J.S. (2010) Overview of Cyber Situation Awareness. In: Jajodia S., Liu P., Swarup V., Wang C. (eds) Cyber Situational Awareness. Advances in Information Security, vol 46. Springer, Boston, MA. 2010. ISBN 978-1-4419-0140-8\nhttps://link.springer.com/chapter/10.1007/978-1-4419-0140-8_2 West-Brown, Moira J.; Stikvoort, Don; & Kossakowski, Klaus-Peter. Handbook for Computer Security Incident Response Teams (CSIRTs). CMU/SEI-98-HB-001. Software Engineering Institute, Carnegie Mellon University. 1998.\nhttp://www.sei.cmu.edu/publications/documents/98.reports/98hb001/98hb001abstract.html ANNEX 4: Overview of all CSIRT Services and related Functions https://www.first.org/standards/frameworks/csirts/ for CSIRT related materials ^\nCheck [Kossakowski 2001] for a discussion of internal support services and its relationship to other services ^\nA FIRST Special Interest Group (SIG) has been established to steer the “CSIRT Framework Development”. ^\nAlthough this services framework does not aim to define a SOC services framework, it is certainly expected that services from both Information Security Event and Incident Management areas will be useful and directly applicable while defining SOC services. ^\nAs is to be expected for all services related to the intake of information and data, there are many similarities. It is therefore common to combine such services from several service areas offered into one service/function. As this is not mandatory and there is no set combination of service areas, we have chosen to keep such services separate within the CSIRT Services Framework, although each team is free to choose the best organizational model for its own setup. ^\nNew vulnerability information received by email may be considered to be an activity of either the Vulnerability Discovery service, Public Source Vulnerability Discovery function, Vulnerability Report Intake service, or of the Vulnerability Report Receipt function, depending on the CSIRT’s internal processes or on how broadly the vulnerability information was distributed. ^\nSee the Vulnerability Coordination and Vulnerability Disclosure service areas for related information on coordinated vulnerability disclosure (CVD). ^\nAlthough the function and sub-functions for detecting vulnerabilities are sometimes referred to as “vulnerability management,” this CSIRT Services Framework instead refers to these as part of this Vulnerability Response service, which is part of the larger service area named Vulnerability Management in this framework. ^\nISO/IEC 29147:2014 Information technology—Security techniques — Vulnerability disclosure- Terms/Definitions 3.1^\nhttps://cve.mitre.org/ ^\nhttps://www.first.org/cvss/ ^\nhttps://cwe.mitre.org/about/index.html ^\nISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes-Terms/Definitions 3.1^\nISO/IEC 29147:2014 Information technology—Security techniques — Vulnerability disclosure- Terms/Definitions 3.3^\nSource: https://www.merriam-webster.com/dictionary/function ^\nSource: https://www.dictionary.com/browse/function ^\nBased on RFC2350 by considering „information security“ instead of „IT security“, https://tools.ietf.org/html/rfc2350. ^\nhttps://www.klipfolio.com/resources/articles/what-is-a-key-performance-indicator ^\nISO/IEC 29147:2014 Information technology—Security techniques—Vulnerability disclosure-Terms/Definitions 3.5 ^\nISO/IEC 29147:2014 Information technology—Security techniques—Vulnerability disclosure-Terms/Definitions 3.6 ^\nISO 31000:2009/ ISO Guide 73:2002 Risk management — Principles and guidelines- Terms/Definitions 2.1 ^\nThe Project Management Body of Knowledge (PMBOK) Guide and Standards ^\nThe Project Management Body of Knowledge (PMBOK) Guide and Standards ^\nArchitecture Content Framework ^\nISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes-Terms/Definitions 3.7 ^\nISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes-Terms/Definitions 3.8^", + "outcome": "Support is provided to design, acquire, manage, operate and maintain the constituency’s infrastructure and systems and tools, as well as assist in building the capability, capacity, and maturity of incident management activities.", "purpose": "Provide technical advice that can help the constituency to better manage risks and threats and implement current operational and security best practices, while enabling effective incident handling activities." }, "related": [ diff --git a/tools/gen_csf_alt.py b/tools/gen_csf_alt.py new file mode 100644 index 0000000..4eeb54c --- /dev/null +++ b/tools/gen_csf_alt.py @@ -0,0 +1,228 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# A simple convertor script to generate galaxies from the MITRE NICE framework +# https://niccs.cisa.gov/workforce-development/nice-framework +# Copyright (C) 2024 Jean-Louis Huynen +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +import pdb +import requests +import json +import os +import uuid +import re +from bs4 import BeautifulSoup + +# uuidv4 generated to be concatenated in v5: 43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0 + +galaxy = { + "namespace": "first", + "type": "first-csirt-services-framework", + "name": "FIRST CSIRT Services Framework", + "description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide", + "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", + "version": 1, + "icon": 'user', +} + +cluster = { + 'authors': ["FIRST", "CIRCL", "Jean-Louis Huynen"], + 'category': 'csirt', + "type": "first-csirt-services-framework", + "name": "FIRST CSIRT Services Framework", + "description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide", + "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", + 'source': 'https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1', + 'values': [], + 'version': 1, +} + +# URL to download +url = "https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1#5-Service-Area-Information-Security-Event-Management" + +# Send a GET request to the webpage +response = requests.get(url) + +def extract_nostrong_content(element): + content = element.find_next_siblings('p', limit=3) + extracted = {} + + extracted["purpose"] = content[0].text.strip()[8:] + for sibling in content[0].find_next_siblings(): + if "Description:" in sibling.text: + break + extracted["purpose"] += f" {sibling.text.strip()}" + + extracted["description"] = content[1].text.strip()[12:] + for sibling in content[1].find_next_siblings(): + if "Outcome:" in sibling.text: + break + extracted["description"] += f" {sibling.text.strip()}" + + extracted["outcome"] = content[2].text.strip()[8:] + for sibling in content[2].find_next_siblings(): + if sibling.name in ["h2", "h3", "h4"] or any(substring in sibling.text for substring in ["The following functions", "List of functions"]): + break + extracted["outcome"] += f" {sibling.text.strip()}" + return extracted + +def extract_content(element): + content = {} + description_title = element.find_next( + "em", string=lambda text: "Description:" in text + ) + purpose_title = element.find_next("em", string=lambda text: "Purpose:" in text) + outcome_title = element.find_next("em", string=lambda text: "Outcome:" in text) + + content["purpose"] = ( + purpose_title.parent.parent.get_text(strip=True).replace("Purpose:", "").strip() + ) + for sibling in purpose_title.parent.parent.find_next_siblings(): + if "Description:" in sibling.text: + break + content["purpose"] += f" {sibling.text.strip()}" + + content["description"] = ( + description_title.parent.parent.get_text(strip=True) + .replace("Description:", "") + .strip() + ) + + for sibling in description_title.parent.parent.find_next_siblings(): + if "Outcome:" in sibling.text: + break + content["description"] += f" {sibling.text.strip()}" + + content["outcome"] = ( + outcome_title.parent.parent.get_text(strip=True).replace("Outcome:", "").strip() + ) + for sibling in outcome_title.parent.parent.find_next_siblings(): + if sibling.name in ["h2", "h3", "h4"] or any(substring in sibling.text for substring in ["The following functions", "List of functions"]): + break + content["outcome"] += f" {sibling.text.strip()}" + content["outcome"] = content["outcome"].split("The following functions")[0].strip() + return content + + +def remove_heading(input_string): + return re.sub(r'^\d+(\.\d+)*\s+', '', input_string) + +# Check if the request was successful +if response.status_code == 200: + # Parse the page content with BeautifulSoup + soup = BeautifulSoup(response.content, 'html.parser') + + # Removing all links + for a in soup.find_all('a', href=True): + if a['href'].startswith('#'): + a.decompose() + + # Extract the section titled "4 CSIRT Services Framework Structure" + section_header = soup.find( + 'h2', id="5-Service-Area-Information-Security-Event-Management" + ) + if section_header: + + services = section_header.find_next_siblings('h3') + functions = section_header.find_next_siblings('h4') + + for service in services: + if "Monitoring and detection" in service.text: + content = extract_nostrong_content(service) + else: + content = extract_content(service) + name = remove_heading(service.text.strip()) + suuid = str( + uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name) + ) + cluster["values"].append( + { + "description": content["description"], + "meta": { + "purpose": content["purpose"], + "outcome": content["outcome"], + }, + "uuid": suuid, + "value": name, + "related": [], + } + ) + + for function in functions: + content = extract_content(function) + # get the parent service + parent_service = function.find_previous('h3') + relationship = { + "dest-uuid": str( + uuid.uuid5( + uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), + remove_heading(parent_service.text.strip()), + ) + ), + "type": "part-of", + } + + name = remove_heading(function.text.strip()) + + cluster["values"].append( + { + "description": content["description"], + "meta": { + "purpose": content["purpose"], + "outcome": content["outcome"], + }, + "uuid": str( + uuid.uuid5( + uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name + ) + ), + "value": name, + "related": [relationship], + } + ) + + with open( + os.path.join( + os.path.dirname(__file__), + '..', + 'galaxies', + f'first-csirt-services-framework.json', + ), + 'w', + ) as f: + json.dump(galaxy, f, indent=2, sort_keys=True, ensure_ascii=False) + f.write( + '\n' + ) # only needed for the beauty and to be compliant with jq_all_the_things + + with open( + os.path.join( + os.path.dirname(__file__), + '..', + 'clusters', + f'first-csirt-services-framework.json', + ), + 'w', + ) as f: + json.dump(cluster, f, indent=2, sort_keys=True, ensure_ascii=False) + f.write( + '\n' + ) # only needed for the beauty and to be compliant with jq_all_the_things + + else: + print("Couldn't find the section header.") +else: + print(f"Failed to download the webpage. Status code: {response.status_code}")