Incident Response Trends for 2011 Interview with Georgia Killcrece of SEI's CERT Program, Part 1 of 2
It's no longer how you respond to a security incident that counts; it's how you manage it.

In the first part of a two-part discussion of incident response trends for 2011, Georgia Killcrece of the CERT Program at the Software Engineering Institute discusses:

  • What "incident response" truly means today;
  • Top incident management trends as we head into 2011.

"As long as there are computers that are not fully attached, there will be miscreants to find and use those systems to further their own attack," Killcrece says. "So my predication is that we will continue to see targeted attacks against financial organizations or control systems, or attacks against widely used programs and applications such as the web or social networking, or whatever the next new technology is that gets promoted and comes into the community in wide spread use."

The keys to success in managing these risks, she says, are incident response, handling and management - all of which she defines in this interview.

In part two of this discussion, Killcrece talks about career opportunities in incident response.

Killcrece is currently a Member of the Technical Staff in the Enterprise Threat and Vulnerability Management Team within the CERT Program at the Software Engineering Institute (SEI).

She takes an active role in promoting the development of computer security incident response teams (CSIRTs) worldwide and has worked directly with a number of government, industry, and academic enterprises to facilitate the development of their incident management capabilities. Her team is involved in developing products aimed at evaluating CSIRT capabilities that can be transitioned to the global incident response community.

TOM FIELD: Well Georgia, just to help us out here why don't you tell us a little bit about your role at the Software Engineering Institute.

GEORGIA KILLCRECE: Okay sure. I have worked in the CERT program since 1989. Back then I was involved in helping to build and develop the CERT CC, as we called it back then, as well as serving a number of roles in the program. For example, I was an incident response coordinator for awhile. I was also involved in training as a developer of courses, including as an instructor. And for the last 10 years or so, I managed the team. I led the team within the CERT program called the CSIRT development team. That was a team that focused on helping other organizations build their incident management capability.

Defining Incident Response

FIELD: Let's talk about incident response. I mean, you certainly have some experience here. What does the term mean today versus how we looked at it in previous years?

KILLCRECE: Okay, well first the term, incident response, is still commonly used today, but often it really means more than just response. In the early days, most of the activities that we were involved in were typically reactive, so they were focused on incident response. Today we actually like to use an expanded terminology that more fully captures the intent, and those terms are incident handling and incident management. So let me describe the differences between those three terms.

Incident response is the last part of an incident handling process, and it actually comes down to the resolution of incident and core event. So, from a historic perspective, incident response is just that -- responding to an incident once it happened or it was detected, you reacted to the situation. But looking only at the response part of the process misses the key action. So, possibly delaying actions due to confusion and roles and responsibilities that people may have, ownership of the data incident systems, and even the authority to take an action. And furthermore, response can also be delayed because of communication problems. Not knowing whom to contact, not having the right contact information readily available. And incident response can be ineffective because of the poor quality of the information about the events or the incident itself. So, any impact on response timeliness and quality of information during an incident can cause further damage to critical assets. So that is the reactive instant response piece.

When we talk about incident handling, we talk about that encompassing all the processes that are involved and the tasks that are associated with handling events or incidents, and this includes things like testing and reporting, activity which may be events or even just network interruptions. So that handling part in it also includes triage events and incidents to categorize that and prioritize that. Then analyze what has happened to ultimately get to the point of what is the appropriate action to take. So, all of those we consider part of an incident handling process.

In our early years at the CERT program, for example, we were very reactive. We received mail, we answered the phones, and we provided information to help the recipient response. Many teams that we see today start out that way. They are very reactive in their approaches. So, even in our early days we recognized and realized that we had to get out of this reactive mode. We had to find better ways to get ahead of that curve and not just be in this continuous reactive-type goal.

Now we move to those whose notion of incident management and management is encompassing a much broader more enterprise-wide set of processes for providing that end to end management of computers, security events and incidents. This encompasses not only the reactive piece of it, but that planning and that preparation for ways to handle events in a very well thought out process, a very well thought out way by ensuring that you have staff who are appropriately trained. That you have the equipment and infrastructure in place with appropriate defensive measures such as your IDS and firewalls, and AV, etc., and that these are installed and that they are functioning the way that you think they are. So that when an event happens, these tools are then used to help identify, to analyze, to block, contain, or even to eradicate that malicious activity. Incident management ensures that the incident handling processes are developed and that they are institutionalized across the organization, so everyone knows what their role is. Your staff, your business partners, your customers, whatever, and incident management also takes into consideration that lessons that you learn from handling a previous incident are reviewed and then incorporated into the process for that continual improvement.

Top Trends for 2011

FIELD: Given the evolution of how we approach incident response, what do you see being the top trends as we are going into the New Year?

KILLCRECE: I see some of the top trends, where this is an old adage that says, "It's not if an incident will occur, but when." So, what we see that those organizations that are better prepared are much more readily able to adapt and to be able to be responsive. So the best situation is to avoid an incident in the first place, but if you can't, then being better able to handle and manage the incidents when they do occur, to quickly get back to business, is a much better approach. So while we are trying to get ahead of this curve and trying to protect our systems, we know that the miscreants are always out there looking for the next way to attack, and the next more complex way to attack our systems.

So back in the '90's we saw the single-threat script kiddie attack. Over the years, we saw that morph into very large scale targeted attacks using complex tool kits that chain together a series of malicious code and exploits, and use command and control functionalities to launch widespread attacks. We still see those types of attacks today in the botnet and other malware trade craft.

Going into 2011, there is no reason to think that is going to change. It's not hard to imagine that the tools being used by the miscreants today will be further adapted and will continue to evolve and continue to use even more complex and robust tool kits that seek to avoid detection or seek to bypass controls that we put in place.

Certainly, as long as there are computers that are not fully attached, there will be miscreants to find and use those systems to further their own attack. So my predication is that we will continue to see targeted attacks against financial organizations or control systems, or attacks against widely-used programs and applications such as the web or social networking, or whatever the next new technology is that gets promoted and comes into the community in wide spread use. Certainly, where ever there are unattached systems we'll continue to see attackers go against those systems. I think we'll continue to see attacks launched for financial gain or money laundering or political motivation for economic reasons. In these troubling times economically, I think we'll begin to see more and more insider attacks that stem from employees who are not so happy or satisfied anymore. So things that stem from downsizing or resizing or right sizing. So I think some of those will continue to be.

Some of the other things that I think continue to grow over time are the, let's call it the professionalism of the attack tools using software development and life cycle principles. We've certainly seen tools that come with patches and updates and subscription fees to get the latest and greatest updates to those tools. We have a community of miscreants who are developing tools to be used much easier by the less technically savvy attackers.

Then I think another trend we'll continue to see going into next year is you now more social engineering attacks. They'll continue, because they work. We'll continue to see more attacks taking advantage of the trust relationship that people have between their friends, their colleagues, etc. And I think Smart Phones and other mobile devices will continue to be a rich environment for attackers to find ways to deploy.

FIELD: This concludes Part 1 of our two-part discussion on Incident Response. In Part 2, we'll talk about careers in incident response including the top skills needed and where one goes to develop these skills.

Around the Network