The National Institute of Standards and Technology (NIST) released The Computer Security Incident Handling Guide, SP 800-61 Revision 2, in August, 2012.
The guide puts incident handling activities in the context of the above diagram. The table below provides the first level of detail.
||Detection & Analysis
||Containment, Eradication, & Recovery
- Response Team Communications & Facilities
- Analysis Tools: Hardware & Software
- Analysis Resources: Hardware & Software Inventory
- Incident Mitigation Software: OS Images for recovery
- Attack Vectors
- Signs of an Incident
- Sources: Alerts & Logs
- Sources: People & Public Information
- Incident Analysis
- Profiles & Norms
- Event Correlation
- Internet search tools
- Packet Sniffers
- Third Party Resources
- Incident Documentation
- Incident Prioritization
- Incident Notification
- Select a Containment Strategy
- Gather & Handle Evidence
- Identify Source of Attack
- Eradicate the Intruder & Recover the Assets
- Lessons Learned
- Analyze Collected Incident Data
- Retain Evidence as Appropriate
The above activities represent a useful checklist for evaluating an incident response plan as well as incident handling in action.
Of course, recognize that the response to an incident is fluid, often with unclear boundaries. Containment may start in the early stages of analysis. Prioritization may change and notification may continue throughout the incident. But, the insight provided by the NIST publication goes beyond Federal agencies.