A new report prepared by CERT Polska was published by ENISA (European Network and Information Security Agency) today: “Actionable Information for Security Incident Response”. This publication is aimed at members of the incident response teams and everyone that collects, analyzes and shares security-related information.
Exchange of information can be an important factor in improving security in any organization, from small companies to large governmental infrastructures. Data obtained from external sources allows to identify infected machines inside corporate networks, apply software patches in a timely manner, or mitigate a variety of other threats. However, despite the increasing number of organizations that collect and exchange information, an effective use of available information remains a challenge.
In our opinion, these problems where not sufficiently explored by existing publications, therefore the main goal of the report is to comprehensively present all important aspects of the information processing that is performed by the incident handling teams. In this context, we investigate how various types of information related to security can be made “actionable”, i.e. how data can be used as a basis for decisions that prevent or eliminate threats.
The report identifies a set of five key properties of information that determine whether it is actionable (relevance, timeliness, accuracy, completeness, and ingestibility). It also introduces the information processing pipeline, which is a generalized model that can be used to describe various aspects of data processing. The model consists of five stages – collection, preparation, storage, analysis, and distribution – which are discussed in detail with specific examples. In the document, we identified important gaps in processing of actionable information and we provided relevant recommendations that address issues on high level and in concrete implementations.
The report contains three detailed case studies cover various aspects of handling actionable information by incident handling teams: application of indicators for defense purposes in face of a targeted attack, monitoring botnet activity on a large scale, and effective distribution of security data on a national level. These case studies are expanded in the hands-on exercise that covers a concrete information processing and sharing scenario. Additionally, an inventory of 53 information sharing standards and 16 information management tools relevant to the concept of actionable information were published as a accompanying document, titled “Standards and tools for exchange and processing of actionable information”.
We hope that this study will be of help to CERTs and the information security community in general to better understand the issues involved in the creation, sharing, and processing of actionable information as well as aid the development of tools in this area.
You can download the report by using the following links:
We would like to recognize Andrew Kompanek (CERT/CC) for comments and suggestions that allowed us to improve all aspects of the report.