Student Handbook – Security Analyst SSC/N0902

Lesson

1.1. Incident Response

An incident is a set of one or more security events or conditions that requires action and closure
in order to maintain an acceptable risk profile.

Incidents
In the haystack of events, organizations must find the "needles" that are the security incidents. Events
are isolated and disconnected, but incidents add the context that enables security administrators to
gain understanding and take action.

It can be defined as a set of events or conditions requiring response and closure. Incidents comprise
not only the significant threats that jeopardize business and require intervention.

They include more mundane situations that occur on a daily basis, and only threaten the business if
no action is taken. Examples of these routine situations include “low and slow” port scans and some
varieties of email worms. Most organizations face thousands of instances of the latter types of threats,
together with the higher profile blended threats like Code Red, Nimda, and Klez.

Besides attacks, known system vulnerabilities or discovered policy violations are also incidents that
require a response in order to protect the business. When related events (e.g. attacks, vulnerabilities,
and policy violations) are viewed together, the true nature (or type) of the incident becomes evident.

Introduction to Incident Handling and Response

Computer or information security incident response has become an important component of

information technology (IT) security programs. An incident response capability is therefore necessary
for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were
exploited and restoring IT services.

Different types of information security incidents are caused due to:

Peripheral devices such as external/ removable media

Attrition (brute force methods that compromise, degrade, or destroy systems, networks or
services)
Website or web based application

Email message or attachment

Improper usage of an organization’s acceptable usage policies by an authorized user

Loss or theft of equipment

Other factors

251
 Student Handbook – Security Analyst SSC/N0902

Incidents can be classified into:

• Malicious code
• Network reconnaissance
• Unauthorized access
• Inappropriate usage
• Multiple component

These are explained in Unit IV and V.

Impact of information security incidents:

• Functional impact (current and likely future negative impact to business functions)
• Information impact (effect on the confidentiality, integrity, and availability of the
organization’s information)
• Recoverability from the incident (time and types of resources that must be spent
on recovering from the incident)

Organizations prioritize information security incidents based on the weightages they give to each of
the above categories for a particular incident. For example, an organization that deals with massive
amounts of personal identifying information (PII) might weight information impact more heavily than
recoverability impact, while an emergency response agency might prioritize functional impact to
ensure the continued delivery of emergency services.

Need for incident response

 to respond quickly and effectively when security breaches occur.

 to be able to use information gained during incident handling to better prepare for handling future
incidents.
 to provide stronger protection for systems and data.
 to help deal properly with legal issues that may arise during incidents.
 to comply with law, regulations, and policy directing a coordinated, effective defense against
information.

Goals of incident response

 formal, focused, and coordinated approach to responding to incidents.

 adhere to organization’s mission, size, structure, and functions.
 formulate policy, plan, and procedure creation to counter adverse events.
 to provide stronger protection for systems and data.
 to minimize loss or theft of information and disruption of services.
 to respond quickly and effectively when security breaches occur.

How to identify an incident

 incident analysis hardware and software to identify an incident.

 appropriate incident handling communication means and facilities.

252
 Student Handbook – Security Analyst SSC/N0902

 incident analysis resources to identify an incident.

 incident mitigation software to identify an incident.
 different response strategies to identify incidents through attack vectors, such as external/
removable media, attrition, web, email, impersonation, improper usage by organization’s
authorized users, loss or theft of equipment and others that are beyond the scope of the above
mentioned.

Signs of security incident

Two main types of signs of an incident are:

• Precursors: a sign that an incident may occur in the future.
• Indicator: a sign that an incident may have occurred or may be occurring now.

Some of the common signs of security incident are:

 web server log entries that show the usage of a vulnerability scanner.
 announcement of a new exploit that targets a vulnerability of the organization’s mail server.
 threat from a group stating that it will attack the organization.
 network intrusion detection sensor alerts when a buffer overflow attempt occurs against a
database server.
 antivirus software alerts when it detects that a host is infected with malware.
 system administrator sees a file name with unusual characters.
 host records an auditing configuration change in its log.
 application logs multiple failed login attempts from an unfamiliar remote system.
 email administrator sees a large number of bounced emails with suspicious content.
 network administrator notices an unusual deviation from typical network traffic flows.

Incident Information

One can get information about incidents from various sources:

 Alerts: reviewing alerts based on supporting data from sources such as Intrusion Detection and
Prevention Systems (IDPS); Security Information and Event Management (SIEM) alerts;
Antivirus and anti-spam software; file integrity checking software; third-party monitoring
services etc.
 Logs: analyzing logs from sources such as operating system, service and application logs and
network device logs in correlation with event information.
 Network flow: using routers and other networking devices to provide information and locate
anomalous network activity caused by malware, data exfiltration and other malicious acts.
 Publicly Available Information: updating and integrating new vulnerabilities and exploits
published by authorized agencies such as National Vulnerability Database (NVD).
 People: validating reports registered by users, system administrators, network administrators,
security staff, other people within the organization and reports originating from external
sources or parties.

253
 Student Handbook – Security Analyst SSC/N0902

1.2 Handling Different Types of Information Security

Incidents

Handling incidents
There are five important incident handling phases:
 Preparation: establishing and training an incident response team, and acquiring the necessary
tools and resources.
 Detection and analysis: detecting security breaches and alerting organization during any
imminent attack.
 Containment: mitigating the impact of the incident by containing
 Eradication and recovery: carrying out detection and analysis cycle to eradicate incident and
ultimately initiate recovery.
 Post-incident activity: preparing detailed report of the cause and cost of the incident and future
preventive measures against similar attacks.

This is similar to the tasks contained within incident management plans:

• identify
• contain
• cleanse
• recover
• close

Organizations should have a plan to respond to various types of incidents detailing various aspects of
incident handling including the above.

Incident response plan

Incident Response Plan is an organization’s foundation to a formal, focused and coordinated approach
for incident response.

Purpose of incident response plan

The objective of instating an incident response plan is to provide the roadmap for implementing the
incidence response capability. The incident response plan acts as a defence mechanism against
hackers, malware, human error and a series of other security threats.

Requirements of incident response plan

The intervention of an incident response plan can be the structure to building an organization’s
incident response capability. Emphasis on computing security policies and practices are the main
objectives of most organization in their overall risk management strategies. Elements that are
recommended as important to an incident response plan are:

 organization’s mission towards the plan

 organization’s strategies and goals to determine the structure of incident response capability
 senior management approval in the structuring of the proposed plan
 organizational approach to incident response

254
 Student Handbook – Security Analyst SSC/N0902

 incident response team’s communication with the rest of the organization and with other
organizations
 metrics for measuring the incident response capability and its effectiveness
 roadmap for maturing the incident response capability (regular reviews, audits and tests etc.)
 how the program fits into the overall organization

Incident response plan checklist

Developing an incident response plan checklist can minimize the threat of security breach in the form
of attacks in websites and servers, or inadvertent leakage of share sensitive data etc. Instating a
structure that ensures the latest developments are captured, understood, evaluated as threats to the
business, documented and distributed will help ensure an effective incident response. An incident
response plan checklist should be an amalgamation of the following key practices:

 provides a roadmap for implementing an incident response program based on the

organization’s policy.
 organize both short and long-term goals program, including metrics for measuring the
program.
 highlight incident handler’s training needs and other technical requirements.
 address existing and new cyber technologies are adequately addressed in policies and
procedure.
 conduct regular reviews, audits and tests to protect against security breach.
 classify business data in the order of its sensitivity and security requirements.
 selecting of appropriate incident response team structure.
 complying with security-related incident regulations and law enforcement procedures.

255
 Student Handbook – Security Analyst SSC/N0902

1.3 Preparation for Incident Response and Handling

 Create a core team

Integrity of business security demands the presence of an effective incidence response team and the
latter can be achieved through the selection of appropriate structure and staffing models. Typically, a
designated incident response team or personnel function as the first point of contact (POC) in a
situation involving security breach in an organization. The incident handlers may then analyse the
incident data, determine the impact of the incident, and act appropriately to limit the damage and
restore normal services. The incident response team’s success depends on the participation and
cooperation of individuals throughout the organization. Therefore, an organization must create a core
team, identify suitable individuals, discuss incident response team models, and provide advice on
selecting an appropriate model.

A team model may be based on the following models:

 Central Security Incident Response team: a functional model for small organizations with
limited or no geographic presence wherein a single incident response team handles core
security computing.
 Distributed Security Incident Response team: this model is effective for large organizations
(e.g. one team per division) and for organizations with major computing resources at distant
locations (e.g. one team per geographic region, one team per major facility).
 Coordinating team: an incident response team provides advice to other teams without having
authority over those teams. For example, a department wise team may assist individual
agencies’ teams and it is almost modelled as a CSIRT for CSIRTs.
 Create tool kit, systems and instrumentation: a jumpkit is a portable case instrumental to incident
response teams and it contains items such as laptop, appropriate software such as packet sniffers,
digital forensics, back up devices, blank media etc.

Listed below are range of various tool kit, systems and instrumentation that may be useful in an
incident response:

 Incident handler communications and facilities: these may include contact information of team
members and others within the organization and external, on-call information matrix, incident
reporting mechanisms such as phone numbers, email addresses, online forms, etc. Incident
tracking systems; smartphones for round-the-clock communication; use of encryption software
for internal team members; security materials storage facility etc.
 Incident analysis hardware and software: digital forensic workstations and/ or backup devices to
create disk images, preserve log files and save other relevant incident data etc. Laptops; spare
workstations; servers; networking equipment or the virtualized equivalents for storing and trying
out malware; blank removable media; packet sniffers and protocol analyzers; digital forensic
software; evidence gathering accessories such as digital cameras, audio recorders, chain of
custody forms etc.
 Incident analysis resources: port lists, including commonly used ports and Trojan horse ports;
documentation for Oss; applications; protocols etc. Network diagrams and lists of critical assets
such as database servers; current baselines of expected network system and application activity;
cryptographic hashes of critical files to speed incident analysis, verification and eradication.
 Incident mitigation software: access to images of clean OS and application installations for
restoration and recovery purposes.

256
 Student Handbook – Security Analyst SSC/N0902

Table-Top Exercise for Incident Response (IR) for XYZ Organization:

IR Lifecycle Summary of Incident Activities

Stage

Preparation  Provide training and awareness for all individuals in

recognizing anomalous behavior and specific reporting
requirements for suspected breaches of an
 Gather contact information for incident handlers,
 Gather hardware and software needed for technical analysis;
and
Perform evaluations, such as tabletop exercises, of the IR
capability.
Detection and Analysis  Monitor information system protection mechanisms and
system logs
 Investigate reports of suspected XYZ breaches from agency
individuals.
 Notify Security Director and the System Administrator
immediately, but no later than 24-hours after identification of
a possible issue involving XYZ asset information.
Containment  Choose and implement strategy for preventing further
Information loss based on level of risk to Information.
 Gather and preserve technical evidence, if applicable;
Eradication  Eliminate components of the incident, such as deleting
malicious code and disabling breached user accounts, if
applicable.
Recovery  Restore systems via appropriate technical actions such as:
restoring from clean backups, rebuilding systems from scratch,
replacing compromised files with clean versions, installing
patches, changing passwords, and tightening network
perimeter security.

Sample Incident Response Evaluation Scenarios

XYZ Breach Scenario Tabletop Exercise Objectives

Through a routine evaluation of system logs, a  Determine the actions that would help
system administrator discovers that XYZ’s data prevent this type of incident (preparation).
has been exfiltrated from the system by an  Determine the controls in place that
unauthorized user account. would help identify this incident, along
A remote user has lost his/her laptop. The with procedures on how to report the
user’s job function required that XYZ’s incident (detection and analysis).
information be stored on the laptop.  How to prevent further damage
(containment),
After a recent office move, it is discovered that  How to clean the system (eradication).
a locked cabinet containing XYZ’s information is  How to restore the system in a secure
missing. manner (recovery).

257
 Student Handbook – Security Analyst SSC/N0902

Summary
 An incident is a set of one or more security events or conditions that requires action and closure
in order to maintain an acceptable risk profile.
 These can be classified into:
o Malicious code incidents
o Network reconnaissance incidents
o Unauthorised access incidents
o Inappropriate usage incidents
o Multiple component incidents
 Impact of information security incidents can be classified into:
o Functional impact
o Information impact
o Recoverability from the incident
 Signs of security incident: Two main types of signs of an incident are:
o Precursors: It is technically a sign that an incident may occur in the future.
o Indicator: A sign that an incident may have occurred or may be occurring now.
 There are five important incident handling phases:
o Preparation
o Detection and analysis
o Containment
o Eradication and recovery
o Post-incident activity
 Incident Response Plan is an organization’s foundation to a formal, focused and coordinated
approach for incident response.
 Central Incident Response team: a functional model for small organizations with limited or no
geographic presence wherein a single incident response team handles core security computing.
 Distributed Incident Response team: this model is effective for large organizations (e.g. one
team per division) and for organizations with major computing resources at distant locations
(e.g. one team per geographic region, one team per major facility).
 A jumpkit is a portable case instrumental to incident response teams and it contains items such
as laptop, appropriate software such as packet sniffers, digital forensics, back up devices, blank
media etc.

258
 Student Handbook – Security Analyst SSC/N0902

Practical activities:

Activity 1:

Collate information on various types of information security incidents from the internet
and populate the various categories of incidents mentioned in the unit with examples
of each. Present a few details of these incidents, if possible.

Activity 2:

Visit various company sites, and find out their incident response plans and list out
various components of it.

Activity 3:

Work in a group to create an incident response plan for the training institute and
modify it as they progress through this module.

Check your understanding:

Q. The two signs of an incident are?

a. ________________________________________

b. ________________________________________
Q. A portable case instrumental to incident response teams and it contains items such as laptop,
appropriate software such as packet sniffers, digital forensics, back up devices, blank media etc. is
known as a ________________

Q. What are the goals of Incident Response? List at least three.

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

Q. List at least three common signs of a security incident.

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

Q. List the five incident handling stages.

__________________________________________________________________________________

__________________________________________________________________________________

259
 Student Handbook – Security Analyst SSC/N0902

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

Q. Which of the following is not a category of security incidents? Mark all that apply.
a) Malicious code
b) Network usage
c) CSIRT
d) Inappropriate usage
e) Precursor
f) Multiple component

NOTES:
__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

_________________________________________________________________________________

260
 Student Handbook – Security Analyst SSC/N0902

UNIT II
Incident Response
- Roles and Responsibilities

This unit covers:

 Lesson Plan
2.1. Incident Response Team
2.2. Incident Response Team Dependencies

261
 Student Handbook – Security Analyst SSC/N0902

Lesson Plan

Performance Ensuring Work Environment/ Lab

Outcomes Measures Requirement
To be competent, you must be able to: 1. Identify and access sources  PCs/ tablets/ laptops
for standard checklists,  Availability of labs (24/7)
PC1. establish your role and guidelines and templates for  Internet with Wi-Fi (min 2
responsibilities in co-ordinating carrying out different types Mbps dedicated)
responses to information security of audits.
incidents.

PC4. assign information security

incidents promptly to appropriate people
for investigation/ action.

PC5. liaise with stakeholders to gather,

validate and provide information related
to information security incidents, where
required.

PC10. obtain advice and guidance on co-

ordinating information security incidents
from appropriate people, where
required.

You need to know and understand: KA4. Peer group, faculty group  PCs/ tablets/ laptops
KA4. limits of your role and and industry experts.  Availability of labs (24/7)
responsibilities and who to seek guidance  Internet with Wi-Fi (min 2
from where required. KA6. Performance evaluation Mbps dedicated)
from faculty and industry with  Access to all security
KA6. who to involve when investigating reward points. sites like ISO, PCI DSS,
and co-ordinating responses to
Center for Internet
information security incidents and how KA11. Online exam and rewards
to contact them. points based on reviews from Security etc.
the forums.  Security Templates from
KA11. how to assign and escalate ITIL & ISO
information on information security KA12. Faculty and peer review.
incidents.
KB5, KB6, KB7. Going through
KA12. different methods and techniques the security standards over
used when working with others. internet by visiting sites like ISO,
PCI DSS etc. and understand
KB5. common issues and incidents of various methodologies and
information security that may require usage of algorithms.
action and whom to report these.
Learn about CIA triad relating to
KB6. how to obtain and validate latest threats and vulnerabilities.
information related to information
security issues.

KB7. how to prepare and submit

information security reports and whom
to share these with.

262
 Student Handbook – Security Analyst SSC/N0902

Lesson

2.1 Incident Response Team

Incident response team members

A single employee, with one or more designated alternates should be in charge of incident response.
In a fully outsourced model, this person oversees and evaluates the outsourcer’s work. All other
models generally have a team manager and one or more deputies who assume authority in the
absence of the team manager. Every team member should have good problem solving skills and
critical thinking abilities.

Incident response team: roles and responsibilities

An incident response team member should possess technical skills, such as system administration,
network administration, programming, technical support or intrusion detection. An incident
response team should be a combination of skilled members in the area of technology (e.g. operating
systems and applications) and other technical areas such as network intrusion detection, malware
analysis or forensics.

Roles and responsibilities

A team member in an incident response unit is expected to have the basic understanding of the
technologies used and their applications. The individual should be capable of comprehending
and handling the following security incidents:

 the type of incident activity that is being reported or seen by the community.
 the way in which incident response team services are being provided (the level and
depth of technical assistance provided to the constituency).
 the responses that are appropriate for the team (e.g. what policies and procedures or
other regulations must be considered or followed while undertaking the response).
 the level of authority the incident response team has in taking any specific actions when
applying technical solutions to an incident reported to the incident response team.

Developing skills in incident response personnel

 maintain, enhance and expand proficiency in technical areas and security disciplines as well as
less technical topics such as the legal aspects of incident response.
 incentivize participation in staff conferences.
 promote deeper technical understanding.
 engage external technical knowledge facilitator with deep technical knowledge in needed areas
to impart learning and development.
 provide opportunities to perform other tasks in non-functional areas.
 rotate staffing of members across functions to gain new technical skills.

263
 Student Handbook – Security Analyst SSC/N0902

 create a mentoring program to enable senior technical staff to help less experienced staff learn
incident handling.
 develop incident handling scenarios and conduct team discussions.

Incident response team structure

After successfully selecting a functional core team, it is best followed that team members be further
integrated and modelled into appropriate staffing based on the magnitude of incident response and
size of the organization. Find details of the three types of staffing methods below:

 In house employees
 Partially outsourced
 Fully outsourced

Therefore, an organization must consider the following factors before selecting an appropriate
incident response team structures:

 The need for 24/7 availability: real-time availability is considered one of the best for
incident response options because the longer an incident last, the more potential there is for
damage and loss.
 Full-time versus part-time team members: organizations with limited funding, staffing or
incident response needs may have only part-time incident response team members, serving
as more of a virtual incident response team. An existing group such as the IT help desk can
act as a first POC for incident reporting and perform initial investigation and data collection.
 Employee morale: segregate administrative work and core incident response to minimize
stress on employees and to help boost morale.
 Cost: implement sufficient funding for training and skills development of incident response
team members the area of work function demands broader knowledge of IT.
 Staff expertise: incident handling requires specialized knowledge and experience in several
technical areas. The breadth and depth of knowledge required varies based on the severity
of the organization’s risks.

Outsourced
 In the case of outsourced work, the organization must consider not only the current quality
(breadth and depth) of the outsourcer’s work, but also efforts to ensure the quality of future
work.
 Document line of work or authority of outsourced incident response work appropriately and
ensure actions for these decision points are handled.
 Divide incident response responsibilities and restrict access to sensitive information.
 Provide regularly updated documents that define what incidents outsources is concerned
about.
 Create correlation among multiple data sources.
 Maintain basic incident response skills in-house.

264
 Student Handbook – Security Analyst SSC/N0902

2.2 Incident Response Team Dependencies

It is important to identify other groups within the organization and rely on the expertise, judgment,
and abilities of others, including response policy, budget, staffing established by management;
information security staff members during certain stages of incident handling (prevention,
containment, eradication, and recovery); IT technical experts (system and network administrators,
legal departments to review plans, policies, documents etc.); public affairs; media relations; human
resources; business continuity planning; physical security and facilities management.

Different methods and techniques used when working with others

Incident response team services

The main focus of an incident response team is performing incident response however it may also
undertake the provision of the following services:
 Intrusion detection: incident response team analyzes incidents more quickly and accurately,
based on the knowledge it gains of intrusion detection technologies.
 Advisory distribution: the team also may also issue advisories within the organization
regarding new vulnerabilities and threats through automated methods.
 Education and awareness: promote education and awareness among users technical staff
know about detecting, reporting and responding to incidents through means such as
workshops; websites; newsletters; posters and stickers on monitors and laptops.
 Information sharing: manage the organization’s incident information sharing efforts.

Defining the relationship between incident response, incident handling, and incident management

Incident response means responding to computer security incidents systematically or by following a

consistent incident handling methodology so that the appropriate actions are taken timely. It is a
mechanism to minimize loss or theft of information and disruption of services caused by incidents.

Incident handling refers to the several phases of incident response process i.e. preparation,
detection and analysis, containment, eradication and recovery and post-incident activity required in
adequate handling of an incident.

Incident management is term used to describe the overall computing security management to
detect the occurrence of incident, initiate and handle an incident response and prevent any future
re-occurrences.

Routine operational procedures and tasks required to co-ordinate and respond to information
security incidents
 Prepare to handle incidents.
 Use incident analysis hardware and software.
 Use incident analysis resources.
 Use of incident mitigation software.
 Management responsible for coordinating incident response among various stakeholders,
minimizing damage, and reporting to Congress, OMB, the General Accounting Office (GAO),
and other parties.
 Information security staff members may be needed during certain stages of incident handling
(prevention, containment, eradication and recovery). For example, to alter network security
controls (e.g. firewall rule sets).

265
 Student Handbook – Security Analyst SSC/N0902

 IT technical experts (e.g. system and network administrators) can ensure that the appropriate
actions are taken for the affected system, such as whether to disconnect an attacked system.

 Coordinate with relevant legal experts to review incident response plans, policies and
procedures to ensure their compliance with law and federal guidance, including the right to
privacy.

 Coordinate and inform the media and, by extension, the public.

 Ensure that incident response policies and procedures and business continuity processes are
in sync.

 Coordinate with Physical Security and Facilities Management to access facilities during
incident handling.

A part of outlining the incident response framework involves the identification of IR

Severity Levels. These levels will help the team understand the severity of an event and
will govern the team’s response. Some suggestions for these levels are the following:

SEVERITY LEVEL LEVEL OF BUSINESS IMPACT RESOLUTION EFFORT REQUIRED

SEVERITY 1 LOW LOW EFFORT
SEVERITY 2 MODERATE MODERATE EFFORT
SEVERITY 3 HIGH EXTENSIVE, ONGOING EFFORT
SEVERITY 4 SEVERE DISASTER RECOVERY INVOKED

Start to create a documented action script that will outline your response steps so your IR Manager
can follow them consistently. Your script should show steps similar to the following:

STEP # ACTION

1 Incident announced
2 IR Manager alerted
3 IR Manager begins information gathering from affected site
4 IR Manager begins tracking and documentation of incident
IR Manager invokes Assessment Team
5
(Details of call bridge or other communication mechanism)

6 Assessment Team reviews details and decides on Severity Level of incident.

7 IF SEV 1 = PROCEED TO STEP #11.0

8 IF SEV 2 = PROCEED TO STEP #12.0
9 IF SEV 3 = PROCEED TO STEP #13.0
IF SEV 4 = PROCEED TO STEP #14.0
10

266
 Student Handbook – Security Analyst SSC/N0902

FOR SEVERITY LEVEL 1 – Proceed with following sequence

11.0 Determine attack vectors being used by threat

11.1 Determine network locations that are impacted
11.2 Identify areas that fall under “Parent Organization”
11.3 Identify systems or applications that are impacted
FOR SEVERITY LEVEL 2 – Proceed with following sequence
12.0 Determine attack vectors being used by threat
12.1 Alert Incident Officer to Severity 2 threat

References: Students are encouraged to read more on Roles and Responsibilities in IR team of any
Organization from following references.

 http://www.cert.org/csirts/Creating-A-CSIRT.html
 http://www.cert.org/csirts/Creating-A-CSIRT.html#practices
 O’Reilly Incident Response – Kenneth R. vanWyk and Richard Forno
 http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

267