=Paper=
{{Paper
|id=Vol-1304/STIDS2014_T09
|storemode=property
|title=An Incident Management Ontology
|pdfUrl=https://ceur-ws.org/Vol-1304/STIDS2014_T09_MundieEtAl.pdf
|volume=Vol-1304
|dblpUrl=https://dblp.org/rec/conf/stids/MundieRDPMC14
}}
==An Incident Management Ontology==
https://ceur-ws.org/Vol-1304/STIDS2014_T09_MundieEtAl.pdf
An Incident Management Ontology
D. Mundie, R. Ruefle, A. Dorofee, J. McCloud, S. Perl, M. Collins
CERT®
Software Engineering Institute | Carnegie Mellon University
4500 Fifth Ave., Pittsburgh, PA, United States of America
Abstract—This paper outlines the need for and the chose to use the W3C Ontology Web Language - OWL2 due
development of an Incident Management Ontology. The Incident to its formalism and increasing use in the Semantic Web
Management Ontology is derived from an Incident Management community. We feel this work may be a useful case study for
Meta-Model. We describe the shortcomings of the Incident others who are thinking about formalizing their own
Management Meta-Model and how the Incident Management information security knowledge.
Ontology addresses these shortcomings. The development of the
Incident Management Ontology is outlined and the need for such
an ontology is discussed. Related work is described and the II. THE INCIDENT MANAGEMENT META-MODEL
Incident Management Ontology’s potential uses and applications In previous work [2], we aggregated a wide variety of
are presented. incident management process models such as ISO 27002 [3]
and NIST 800-61 [4]. From those sources we abstracted a
Keywords—Ontology, Incident Management, Description Logic generalized meta-model that captured the essential processes
involved in incident management.
I. INTRODUCTION This meta-model was at the heart of what we previously
1
When the JASON Program within MITRE looked at the called an Incident Management Body of Knowledge (IMBOK).
scientific community for ways to make cybersecurity “more It broke incident management activities into 18 high-level tasks
scientific”, their very first conclusion was that the security organized by the incident management life cycle phases as
community needed “a common language and a set of basic Prepare, Protect, and Respond. It also included five non-
concepts about which the security community can develop a procedural, crosscutting capabilities that constrain all the other
shared understanding” [1], or in other words, a Cybersecurity tasks. The following outlines the phases and tasks and 5
ontology. The work described in this report is part of an crosscuts of the IMBOK:
ongoing effort within CERT® to build such an ontology for
incident management. A. The phases and tasks
We believe that such formal models are the best way for the 1) Prepare
community to evolve towards a “science of cybersecurity”, and • Develop trusted relationships with external experts
that our incident management ontology can play a crucial role • Provide staff with appropriate education and training
in improving incident management. The ontology’s purpose is • Develop policies, processes, procedures
to create a common language for describing the processes and • Measure incident management performance
functions associated with CSIRTs. We intend to use the • Provide constituents with security education,
ontology to analyze existing CSIRTs, to define a standard set
training, and awareness
of processes and services that should be offered by CSIRT
teams, to formalize roles and responsibilities, and to build an • Develop an incident response strategy and plan
ontology based competency model for the knowledge, skills, • Improve defenses
and abilities required of team members. 2) Monitor and Detect
• Assist constituents with correcting problems
This paper describes the evolution of our work on identified by vulnerability assessment activities
characterizing incident security teams from a natural-language
• Detect and report events
text document to a formal ontology and analyzes the benefits
that accrued in the process. When creating our ontology, we • Monitor networks and information systems for
security
• Perform risk assessments and vulnerability
assessments on constituent systems
1
“JASON is an independent scientific advisory group that 3) Respond
provides consulting services to the U.S. government on
matters of defense science and technology. [In 2010] JASON
2
was asked by the Department of Defense to examine the OWL is based upon description logics. OWL supports those
theory and practice of cyber-security, and to evaluate whether users who want the maximum expressiveness while retaining
there are underlying fundamental principles that would make computational completeness (all conclusions are guaranteed to
it possible to adopt a more scientific approach.” be computable) and decidability (all computations will finish
(http://fas.org/irp/agency/dod/jason/) in finite time). (http://www.w3.org/TR/owl-features/)
62
� • Triage Incident natural-language format of the body of knowledge, and instead
• Collect and preserve evidence building a formal ontology using OWL.
• Restore and validate the system
• Perform a postmortem review of incident A. Ontologies
management actions An ontology is simply a set of shared, precisely-defined
• Integrate lessons learned with problem management concepts in a given domain, along with the relationships
process among those concepts. OWL (the Web Ontology Language) is
• Analyze incident, including artifacts, causes, and a W3C recommendation that builds on earlier languages from
correlations DARPA and elsewhere [6], is a key component of the
Semantic Web [7], and is currently the leading knowledge
• Determine and remove the cause of the incident
representation and reasoning language in computer science.
B. The 5 crosscuts OWL is descended from earlier attempts at usable knowledge
representation systems such as expert systems, logical
1) Manage information
programming languages, frame-based reasoning systems,
2) Properly handle collected evidence following best modal logic, KL-One [8], entity-relationship modeling, and the
practices like [9]. Description Logics emerged as a flexible yet powerful
3) Manage the incident management team knowledge representation tool as the relationships among these
4) Communicate incidents approaches were better understood and new ways to engineer
5) Track and document incidents from initial detection logics and reasoning systems were discovered. Description
through final resolution Logics have been used projects ranging from the International
Catalogue of Diseases [10] to Google's Knowledge Graph [11].
C. Drawbacks to the Incident Management Meta-Model To build our IM ontology, we decomposed the 18 high-
level tasks in the IMBOK meta-model into component
Although the Incident Management Meta-Model provides a concepts and their respective relationships.The concepts, also
considerable simplification and consolidation of prior known as classes in the Description Logic community, are
knowledge, it suffers from a number of drawbacks due to its organized into a strict hierarchy of subclasses. The incident
knowledge representation formalism: management tasks are composed of relationships among those
• The use of imperative verb forms expressing classes. This separation of classes from relationships is the key
infinitive constructions means that each task is only to most modern knowledge formalisms, from KL-One [8] to
partially represented, because the subject is implicit. OWL [12].
This obfuscates, for example, the fact that some of
the tasks (e.g. managing the team) are carried out by B. N-ary Relationships
the team's managers, not by the incident responders. The only relationships inherent in the Description
• In general, the use of natural language makes Logic on which OWL is built are binary relationships
machine processing of this knowledge representation consisting of two concepts (or objects) and a relationship
difficult. between them. However, many of the relationships we
• In particular, there is no easy way to use this want to model in incident management are "n-ary"
representation to perform modeling and simulation, relationships among more than just two objects. For
nor to build applications on top of it. example, training requires a relationship among at least
• To keep the process model manageable, concepts three objects: the training itself, a trainer, and a trainee.
have been abstracted to an unusable level, with no There are a number of ways to handle this situation in
graceful way to expand them into a more detailed OWL; for the IM ontology we used one of the techniques
form. There is no way within this system, for recommended by the W3C [13]. This technique consists
example, to say what is meant by "defenses" in of creating a new class that holds the relationships among
"improve defenses". the training concepts.
• Apart from including a glossary, this representation This requires a slight adjustment to our ways of
does not facilitate the use of a standardized thinking about relationships. To illustrate, the original
vocabulary. meta-model tasks
• Also to keep the process model manageable, related (IM leaders) Develop trusted relationships with
concepts have been combined, as in "restore and external experts.
validate the system". (trainers) Provide staff with appropriate
• Despite its relative compactness, this representation education and training.
violates the "7 plus or minus 2" law [5] and is hard become
for users to take in at a glance and internalize. developing external relationships:
involves external groups
III. FROM META-MODEL TO ONTOLOGY produces trusted relationships
Recently we realized that many of the drawbacks of the is performed by IM leaders
IMBOK could be remediated by moving beyond the informal
63
� staff training: is subject to the incident management
is provided by either external or crosscuts
internal trainers
is provided to IM personnel The table In Appendix B gives a simple summary of
the relationships in the ontology.
Once the reified relationships are in place, it becomes Figure 1 shows a screenshot of the IM ontology being
straightforward to enhance them with additional edited in Protégé [14], the ontology development tool
information. In full, these two classes actually are as from Stanford that is widely used in the community. The
follows in the ontology: display contains five panes giving five views of the
ontology. The upper left pane shows the class hierarchy.
developing external relationships: The two most important classes are "activities" and
belongs to the prepare process "crosscuts". The activities are simply the tasks carried out
involves external groups by the incident management staff, while "crosscuts" or
produces trusted relationships "principles" as Beebe and Clark call them [15] are
is subject to the incident management pervasive constraints on the activities. In addition to those
crosscuts main classes, we needed eight auxiliary classes to
is performed by IM leaders describe the activities in full: incident components, IT
components, knowledge assets, life cycle phases,
organizational groups, quality standards, relationships,
staff training: and team resources. These classes were identified using
is provided by either external or traditional ontology-mining techniques: we started with
internal trainers the terms in the meta-model, then clustered them and
is provided to IM personnel introduced class hierarchies based on our knowledge of
is a training service the domain.
is part of the prepare process
Figure 1 - The Incident Management Ontology Being Edited in Protégé. Note that the “crosscuts” class has grown and its
members renamed during the development process.
second pane shows information about the class in terms of
its subclasses, its superclasses, its members, any equivalent
The top two right-hand panes of the display show
classes, and so forth.
additional information about the selected class in the class
hierarchy, in this case "incident response services". The top The pane at the lower left of the screen shows the
pane shows the usage of the selected class, while the hierarchy of relationships, called "object properties" in
64
� OWL. The "permeates" relationship has been selected. The training", or "training", or "proactive services", or
lowest pane on the right describes that relationship in the "incident management services", and the reasoning
ontology, showing that its domain is "CSIRT managers" system will infer properties and type relationships as
and its range is "team resources", capturing the fact that needed.
CSIRT team managers acquire the team's resources. • The use of OWL annotations to capture definitions
makes the IM ontology usable as a dictionary.
C. Overcoming the Drawbacks • Because of the class hierarchy and the formality of
We believe that this formal IM ontology solves the the system, there is no pressure to collapse concepts
problems noted in Section 2 for the IMBOK meta-model. to keep the document small.
• The use of classes and relationships ensures that the • Finally, the separation of entities from relationships
knowledge is represented completely. reduces the complexity of the representation, and
• This representation is machine-processable; Figure 2 makes the structure of the IM ontology easier to
shows a simple graphic automatically generated from absorb.
the IM ontology using the OntoGraf tool [16] with a Figure 2 gives a high-level breakdown of the incident
GraphViz post-processing script. management activities. The "service delivery" activities are
• The use of Description Logic (DL) ontologies for the most important, and Figure 2 expands that class to a
modeling and for constructing applications is well further level of detail. Figure 3 shows a close-up of the root
understood [9]. cause analysis environment, showing that it is performed by
• The use of a strict class hierarchy gives us a user- incident management personnel, that its goal is to explain root
friendly way to talk about concepts at any needed causes, that it is an incident analysis service, and so forth.
level of abstraction without complicating the IM
ontology as a whole: we can talk about "security
Figure 2 - The Activity Classes in the Ontology, with the Service-Delivery Activity Expanded
Figure 3 - A Detailed View of Root Cause Analysis
65
� services. The National Team from Borduria focuses on
D. Other Benefits
vulnerability assessment, vulnerability analysis, incident
In addition to solving the difficulties we had with the Meta- analysis, performance measurement, and relationship
Model, moving to a formal ontology had several other building. As the diagram makes clear, the only service
advantages. these two CSIRTs have in common is incident analysis.
1) Very flexible typing
We quickly grew fond of the ability to create new types
simply by specifying the necessary and sufficient conditions
for membership in the type. Earlier we had used a
multidimensional organization system called facet maps [17]
to achieve multiple categorizations for the Meta-Model, but
class expressions are much more lightweight and flexible.
They are like a very disciplined tagging system. To cite just
one example, we realized at some point that although we want
to retain the classification of activities by the life-cycle phase
in which they are used (prepare, protect, detect, respond, etc.),
there is no need to build the life-cycle phases into the class
hierarchy. Instead we simply assert a "belongs-to" relationship
between an activity and a life-cycle phase. Then we can define
a "protect-activities" class where the membership condition is
"an activity that belongs-to the protect phase" and the reasoner Figure 4 - A Comparison of Two Fictitious Incident
will automatically compute the members of the class. Management Teams. Note that “has individual” denotes
2) More powerful Modeling the membership of individuals in classes. Thus Acme is an
The n-ary relations that use binary relations to “reify” individual member of the class of incident reporting
relations among individuals turned out to be a very effective services.
method for packaging up domain knowledge in a taxonomic
IV. RELATED RESEARCH
hierarchy. When it seemed clear that the different types of
incident analysis were characterized by the goal of their The seminal paper Formalizing Information Security
analysis, it was trivial to add "explains" and "explained-by" Knowledge by Fenz et al. [19] presents the rationale for
relationships. capturing information security best practices in an OWL
3) Improved knowledge visualization ontology. Though it served as an influence for our ontology,
A shortcoming of our Incident Management Meta-Model the work addresses information security in general while our
was the absence of a satisfactory visualization. After work focuses on incident management.
converting the Meta-Model into a formal ontology, we used There have been many proposals for standardized incident
OntoGraf [16] to export files in the GraphViz DOT format handling process models; for a summary of the models that
[18]. DOT is a text-based format that allows for customizable were used for our meta-model, see [2]. Although they
graphics. incorporated much collective wisdom, none of them were
based on a formal knowledge representation. Like our meta-
E. Individuals model, the forensic framework of Beebe and Clark [15] aimed
The real power of Description Logic ontology comes to assimilate existing practice into a comprehensive
when an ontology is populated by individuals and framework. The distributed, loosely-coupled incident response
reasoning is enabled. “Reasoning” is a key-functionality model of Millar, Osorno, and Reger [20] is a deeply-reasoned
of semantic technologies and allows automatic inferences attempt to analyze and improve upon existing incident
to be made using the rules and classes described by the management practices based on scientific theory and
ontology. The ability of OWL to be used at internet scale simulation, but is not based on a formal ontology.
comes from the highly optimized and logically precise Furthermore, we found that many proposed ontologies that
handling of both terminological, or taxonomic, knowledge exist fail to capture all of the important relationships between
in what the Description Logic community calls the TBox, members of organizations and the organizations themselves.
and the contingent assertional knowledge about These representations arise from an internal focus of an
individuals in what the community calls the ABox [9]. organization who has been victim to attack, and many ignore
We have not yet formally extended the Incident the roles and relationships between a CSIRT and incidents that
Management Ontology to real world individuals, but occur.
Figure 4 shows an example using two fictitious individual Magklaras and Furnell [21] observe that incidents occur
CSIRTs in the ontology. The Acme team, focused only on through misuse by individuals, but do not propose a
incident response, provides monitoring, incident formalized ontology of a taxonomy including this human-
detection, incident reporting, and incident analysis misuse concept. Classifications of individuals are made more
66
�distinguished based on behavior (e.g. accidental or Mellon® and CERT® are registered marks of Carnegie
intentional), and possible consequences of misuse correlated Mellon University. DM-0001433
to these actions.
Wang and Guo’s [22] research in developing OVM NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS.
(Ontology for Vulnerability Management) identifies CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
individuals responsible for attacks, but the relationships EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
amongst these individuals is not made clear. The MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF
formalizations within their work capture knowledge sufficient THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY
WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT,
to answer questions about the assets targeted in an incident TRADEMARK, OR COPYRIGHT INFRINGEMENT.
and mechanisms by which an incident takes place. While
organization and individuals are clear in this work, further
subdivisions of organizations and groups of individuals are REFERENCES
not. No concept of trust appears in the ontology’s class 1 McMorrow, D.: ‘Science of Cyber-Security’, in Editor (Ed.)^(Eds.): ‘Book
hierarchy, making the risk of agents difficult to reason about. Science of Cyber-Security’ (DTIC Document, 2010, edn.), pp.
2 Mundie, D.A., and Ruefle, R.: ‘Building an Incident Management Body of
Chiang [23] proposed mapping the IT Security EBK [24] and Knowledge’, in Editor (Ed.)^(Eds.): ‘Book Building an Incident Management
ISO/IEC 27001 [25] standard to an incident ontology. The Body of Knowledge’ (Citeseer, 2012, edn.), pp. 507-513
3 ISO, I., and Std, I.: ‘ISO 27002: 2005’, Information Technology-Security
construct is similar to OVM, but has the benefit of subdivision Techniques-Code of Practice for Information Security Management. ISO, 2005
of roles amongst individuals and groups. Subdivisions, 4 NIST: ‘Special Publication 800-61, Revision 2’, Computer Security Incident
however, are limited and the ontology will require additional, Handling Guide, 2012, pp. 800-861
5 Miller, G.A.: ‘The magical number seven, plus or minus two: some limits on our
higher-level concepts to subsume various sibling classes of the capacity for processing information’, Psychological review, 1956, 63, (2), pp. 81
hierarchy. 6 Motik, B., Patel-Schneider, P.F., Parsia, B., Bock, C., Fokoue, A., Haase, P.,
Hoekstra, R., Horrocks, I., Ruttenberg, A., and Sattler, U.: ‘Owl 2 web ontology
The most complete formalization framework in security language: Structural specification and functional-style syntax’, W3C
that gathers all necessary information to incident management recommendation, 2009, 27, (65), pp. 159
7 Hitzler, P., Krötzsch, M., Parsia, B., Patel-Schneider, P.F., and Rudolph, S.: ‘OWL
might be Ekelhart’s [26] move from simple security taxonomy 2 web ontology language primer’, W3C recommendation, 2009, 27, (1), pp. 123
to ontology. This work acknowledges the different threats and 8 Brachman, R.J., and Schmolze, J.G.: �An Overview of the KL�ONE
means for attacks, along with measurable reductions when Knowledge Representation System*’, Cognitive science, 1985, 9, (2), pp. 171-216
9 Baader, F.: ‘The description logic handbook: theory, implementation, and
safeguards are introduced. Even relationships amongst applications’ (Cambridge university press, 2003. 2003)
individuals in an organization and the roles they take are 10 Organization, W.H.: ‘International classification of diseases (ICD)’, 2012
11 Singhal, A.: ‘Introducing the knowledge graph: things, not strings’, Official
represented clearly. However, this research does not model Google Blog, May, 2012
subdivisions of an organization and the roles that multiple 12 Antoniou, G., and Van Harmelen, F.: ‘Web ontology language: Owl’: ‘Handbook
organizations can have (both within and in relation to one on ontologies’ (Springer, 2004), pp. 67-92
13 Noy, N., Rector, A., Hayes, P., and Welty, C.: ‘Defining n-ary relations on the
another). Different subdivisions of service types and semantic web’, W3C Working Group Note, 2006, 12, pp. 4
measures of trust are not represented. 14 Ontology, P.: ‘Knowledge Acquisition System’, See http://protege. stanford. edu,
2007
15 Beebe, N.L., and Clark, J.G.: ‘A hierarchical, objectives-based framework for the
V. NEXT STEPS digital investigations process’, Digital Investigation, 2005, 2, (2), pp. 147-167
16 http://protegewiki.stanford.edu/wiki/OntoGraf2014
Future work on the Incident Management Ontology will 17 facetmap.com/2014
focus on evaluting the ontology and using it to categorize 18 Ellson, J., Gansner, E., Koutsofios, L., North, S.C., and Woodhull, G.:
incident response organizations. This work names CSIRT ‘Graphviz—open source graph drawing tools’, in Editor (Ed.)^(Eds.): ‘Book
Graphviz—open source graph drawing tools’ (Springer, 2002, edn.), pp. 483-484
processes but does not yet describe them in full detail. Future 19 Fenz, S., and Ekelhart, A.: ‘Formalizing information security knowledge’, in
work may include using existing standards, such as the Process Editor (Ed.)^(Eds.): ‘Book Formalizing information security knowledge’ (ACM,
Specific Language[27], to model the process flows for each 2009, edn.), pp. 183-194
20 Osorno, M., Laurel, M., Millar, T., Team, E.R., and Rager, D.: ‘Coordinated
service offered by a CSIRT in greater detail. We plan to Cybersecurity Incident Handling’, in Editor (Ed.)^(Eds.): ‘Book Coordinated
evaluate the ontology by using it to analyze the processes Cybersecurity Incident Handling’ (2011, edn.), pp.
performed by and services offered by incident response teams. 21 Magklaras, G., and Furnell, S.: ‘Insider threat prediction tool: Evaluating the
probability of IT misuse’, Computers & Security, 2001, 21, (1), pp. 62-73
A hypothesis we would like to test is whether there is a 22 Wang, J.A., and Guo, M.: ‘OVM: an ontology for vulnerability management’, in
difference between the functions of CSIRTs and Coordination Editor (Ed.)^(Eds.): ‘Book OVM: an ontology for vulnerability management’
(ACM, 2009, edn.), pp. 34
Centers. We are collecting data on both types of organizations 23 Chiang, T.J., Kouh, J.S., and Chang, R.-I.: ‘Ontology-based Risk Control for the
and plan to analyze it using the ontology. We also plan to Incident Management’, IJCSNS International Journal of Computer Science and
improve the ontology by adding axioms, more defined classes, Network Security, 2009, 9, (11), pp. 181-189
24 Division, O.o.C.a.C.N.C.S.: ‘Information Technology (IT) Security Essential Body
and taking more advantage of reasoning capabilities. of Knowledge (EBK): A Competency and Functional Framework for IT Security
Workforce Development’, 2007
25 Lambo, T.: ‘ISO/IEC 27001: The future of infosec certification’, ISSA Journal,
VI. ACKNOWLEDGEMENTS Information Systems Security Organization (http://www. issa. org), 2006
26 Ekelhart, A., Fenz, S., Klemen, M., and Weippl, E.: ‘Security ontologies:
This material is based upon work funded and supported by the Improving quantitative risk analysis’, in Editor (Ed.)^(Eds.): ‘Book Security
Department of Defense under Contract No. FA8721-05-C- ontologies: Improving quantitative risk analysis’ (IEEE, 2007, edn.), pp. 156a-
156a
0003 with Carnegie Mellon University for the operation of the 27 Schlenoff, C., Gruninger, M., Tissot, F., Valois, J., Lubell, J., and Lee, J.: ‘The
Software Engineering Institute, a federally funded research process specification language (PSL) overview and version 1.0 specification’
and development center. This material has been approved for (Citeseer, 2000. 2000)
public release and unlimited distribution. Carnegie
67
�APPENDIX A: AN OVERVIEW OF THE ACTIVITIES CLASS IN THE ONTOLOGY
• Incident management (IM) leaders develop trusted relationships with external groups
• Both internal and external trainers provide training to IM personnel
• internal trainers provide awareness training to partners
• IM leaders develop governance artifacts
• IM leaders perform management functions on IM personnel
• IM leaders develop planning artifacts
• IM personnel provide vulnerability remediation to constituents
• IM personnel provide incident detection to constituents
• IM personnel provide incident communication to constituents
• IM personnel provide defense hardening to constituents
• IM personnel perform triage
• incident data collectors perform incident data collection
• IT personnel restore IT components
• IT personnel validate IT components
• IM personnel coordinate analyzing lessons learned
• IM incident handlers perform incident analysis
• IM personnel perform incident resolution
• IM leaders perform management functions
• IM personnel perform incident tracking
68
�APPENDIX B: THE CLASS HIERARCHY OF THE IM ONTOLOGY
This appendix contains the class hierarchy in the Incident Management Ontology.
activities: functions performed by a CSIRT
developing-governance: establishing the operational guidelines for an organization
developing-plans: establishing and maintaining the business and operational plans for an organization
developing-policies: establishing and maintaining the policies that guide the organizational activities
developing-procedures: establishing and maintaining implementations of organizational policies
developing-processes: establishing and maintaining organizational processes
develop-data-collection-processes: establishing logs and monitoring to provide insight into incidents
developing-relationships: identifying and communicating with essential business partners
developing-external-relationships: developing relationships with external parties
developing-internal-relationships: developing relationships with internal parties
prepare-activities: activities that are typically carried out during the prepare phase of the incident life cycle
process-improvement: activity whose goal is to improve the efficiency, reproducibility, reliability, or other quality
attribute of business processes
integrating-lessons-learned: feeding the results of a postmortem review into the organization's problem-
solving process
postmortem-review: an examination of an event to discover factors that affected the quality of the
handling of the event
measuring-performance: collecting metrics that assess the quality of a process for process improvement
purposes
protect-activities: activities that are typically carried out during the protect phase of the incident life cycle
respond-activities: activities that are typically carried out during the respond phase of the incident life cycle
service-delivery: the activity of providing a service to a constituent
defense-hardening-service: assisting with improving the security defenses of a constituent
improve-defenses: hardening defenses by improving the security controls in place
remediation-service: hardening defenses by removing known vulnerabilities and risks
risk-assessment-service: hardening defenses by identifying threats
vulnerability-assessment-service: hardening defenses by identifying vulnerabilities
incident-response-service: providing assistance in responding to and recovering from incidents
evidence-collection-service: gathering and maintaining information concerning an event
diagnostic-data-collection-service: incident-data-collection to support diagnosis and
restoration activities
forensics-data-collection-service: incident-data-collection to support legal activities
incident-analysis-services: using collected data to uncover the causes and time-line of an event
artifact-analysis-service: incident analysis applied to artifacts
incident-analysis-service: general incident analysis
root-cause-analysis-service: incident analysis with the goal of determining the root
cause of an event
vulnerability-analysis-service: incident analysis applied to the vulnerability that enabled
an event
incident-detection-service: proactive steps to ensure events and incidents are discovered and
reported as soon as possible
incident-recovery-service: reactive activities with the goal of restoring an affected system to the
state before an event
system-restoration-service: restoring an affected system to the state before an event
system-validation-service: verifying that an affected system has been restored
incident-reporting-service: communicating information about an event or incident in accordance
with an incident reporting policy
monitoring-service: maintaining an automated infrastructure to detect events and report incidents
training-service: a proactive service to ensure that stakeholders have the knowledge, skills, and abilities
they need
constituent-training-service: training for constituents that helps them protect their infrastructure
staff-training-service: training for staff that helps them perform their jobs
team-training-coordination: ensuring adequate training for staff
69
� sustain-activities: activities whose goal is to prevent the CSIRT's posture from declining over time
crosscuts: constraints or principles that apply to activities
incident-communication: communicating information about the effects of a incident to staff and constituents
incident-coordination: ensuring that all IM stakeholders are with a shared plan
incident-data-collection: collection of data relevant to an incident
incident-documentation: documenting the results of incident-analysis
incident-problem-solving: using generic or specialized methods in an orderly manner to find solutions to problems
incident-resolution: an action taken to repair the root cause of an incident or to implement a workaround
incident-tracking: managing and maintaining a database of information on incidents and constituents
incident-components: the various elements that constitute the conceptual model of an event
artifacts: any entities left behind after an incident takes place; for example, malicious code or logfiles
events: any occurrences that may have negative security consequences
incidents: events that have been confirmed to have negative security consequences
root-causes: the earliest occurrence in the causal chain leading to an incident
vulnerabilities: the weaknesses in the system that were exploited by an incident
IT-components: the various elements that constitute the conceptual model of an IT system
information-system: collection of technical and human resources that provide storage, computing, and distribution
for enterprise information
network: collection of host computers together with the sub-network or inter-network through which they can
exchange data
security-tools: hardware and software that improves the security of the information-system in which they are
installed
incident-detection-tools: security-tools that perform incident-detection
av-systems: incident-detection-tools that work by analyzing virus signatures
ids-systems: incident-detection-tools that work by analyzing activity on the network
network-monitors: security-tools that work by observing network activity
knowledge-assets: the various types of documents that constitute the intellectual capital of the organization
governance-artifacts: documents that are used in the process of governing
policies: abstract documents that express decisions made by management about the running of the
organization
procedures: concrete documents that implement policies
processes: workflows that implement policies and procedures
incident-reports: documents that inform the CSIRT about events and incidents
incident-tracking-documents: case management documents that trace the progress of an event through the
incident-handling process
incident-assignments: tagging of incidents with the names of IM-personnel responsible for handling them
incident-categorization: tagging of incidents with the classification into which they fall
information: general documents that do not fall in any other category
lessons-learned: documents that capture the results of analyzing-lessons-learned
other-knowledge-assets: any information not included in other categories
planning-artifacts: abstract documents that prepare IM-personnel for incident response
incident-response-plans: planning-artifacts that reflect decisions made about incident-response within the
organization
incident-response-strategies: technical documents that guide IM-personnel in responding to incidents
training-materials: documents that are used to provide training
life-cycle-phase: the temporal periods into which incident response is divided
prepare-phase: educating personnel and providing them with the tools needed to perform their jobs
protect-phase: applying controls and otherwise hardening the infrastructure to resist attack
respond-phase: detecting, analyzing, and recovering from incidents
sustain-phase: ensuring that the capability of the CSIRT does not degrade over time
organizational-groups: stakeholders in the incident management process
external-groups: stakeholders not within the administrative boundaries of the organization
external-csirts: incident management teams outside the boundaries of the organization
external-trainers: educational personnel outside the organization
law-enforcement-agencies: external groups performing law enforcement functions
other-external-groups: any other external group
partners: groups or sets of individuals with close relationships to the organization
70
� constituents: the groups or sets of individuals for whom incident management is being performed
staff: stakeholders contained within administrative boundaries of the organization
IM-personnel: groups or sets of individuals tasked with performing incident management
IM-incident-handlers: individuals responsible for responding to and recovering from incidents
IM-forensics-analyst: an IM-incident-analyst specializing in analysis for legal purposes
IM-incident-analyst: an IM-incident-handler specializing in the analysis of incident-
components
IM-malware-analyst: an IM-incident-analyst specializing in reverse engineering
IM-leaders: individuals responsible for leading the incident management personnel
incident-data-collectors: individuals responsible for collecting data about incidents
diagnostic-data-collectors: incident-data-collectors that collect data for diagnostic purposes
forensic-data-collectors: incident-data-collectors that collect data for forensic purposes
internal-trainers: educational personnel within the organization
IT-personnel: members of the it staff that carry out security functions such as infrastructure hardening
management: individuals responsible for governing
line-management: managers at the low end of the chain of command
mid-level-management: managers in the middle of the chain of command
senior-management: managers at the high end of the chain of command
risk-assessors: individuals responsible for assessing risks to the organization
vulnerability-assessors: individuals responsible for identifying vulnerabilities in the organization's
infrastructure
quality-standards: normative requirements for ensuring the high quality of the CSIRT's activities
document-management-standards: standards that constrain the way information is handled within the organization
appropriately-dissemination-standards: standards that govern the provision of information to the
appropriate audiences
confidentiality-preserving-standards: standards that govern how information is withheld from
inappropriate audiences
forensic-standards: quality standards that ensure the admissibility of the analysis in a court of law
preserving-chain-of-custody: documenting that there has been no opportunity for forensic evidence to be
tampered with
other-quality-standards: quality standards not included in other categories
relationships: connections between individuals or groups of individuals
trusted-relationship: relationships among entities that are willing to share confidential data
untrusted-relationship: relationships among entities that are willing to share confidential data
team-resources: anything needed for the CSIRT activities or the operations of IM-personnel
funding: financial resources necessary for the operations of IM-personnel
IT-infrastructure: information security assets necessary for the operations of IM-personnel
staffing: human resources necessary to ensure the operations of IM-personnel
71
�