Computer Security Incident Handling Guide
Computer Security
Incident Handling Guide
Recommendations of the National Institute
of Standards and Technology
Paul Cichonski
Tom Millar
Tim Grance
Karen Scarfone
Special Publication 800-61
Revision 2
karenw
Typewritten Text
http:
dx.doi.org/10.6028/NIST.SP.800-61r2
NIST Special Publication 800-61
Revision 2
Computer Security Incident Handling
Guide
Recommendations of the National
Institute of Standards and Technology
Paul Cichonski
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD
Tom Millar
United States Computer Emergency Readiness Team
National Cyber Security Division
Department of Homeland Security
Tim Grance
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD
Karen Scarfone
Scarfone Cybersecurity
C O M P U T E R S E C U R I T Y
August 2012
U.S. Department of Commerce
Rebecca Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher,
Under Secretary of Commerce for Standards and Technology
and Director
karenw
Typewritten Text
http:
dx.doi.org/10.6028/NIST.SP.800-61r2
COMPUTER SECURITY INCIDENT HANDLING GUIDE
ii
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analyses to advance the development and productive use of
information technology. ITL’s responsibilities include the development of management, administrative,
technical, and physical standards and guidelines for the cost-effective security and privacy of other than
national security-related information in Federal information systems. The Special Publication 800-series
eports on ITL’s research, guidelines, and outreach efforts in information system security, and its
collaborative activities with industry, government, and academic organizations.
COMPUTER SECURITY INCIDENT HANDLING GUIDE
iii
Authority
This publication has been developed by NIST to further its statutory responsibilities under the Federal
Information Security Management Act (FISMA), Public Law (P.L XXXXXXXXXXNIST is responsible for
developing information security standards and guidelines, including minimum requirements for Federal
information systems, but such standards and guidelines shall not apply to national security systems
without the express approval of appropriate Federal officials exercising policy authority over such
systems. This guideline is consistent with the requirements of the Office of Management and Budget
(OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-
130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130,
Appendix III, Security of Federal Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made mandatory
and binding on Federal agencies by the Secretary of Commerce under statutory authority. Nor should
these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of
Commerce, Director of the OMB, or any other Federal official. This publication may be used by
nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States.
Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication XXXXXXXXXXRevision 2
Natl. Inst. Stand. Technol. Spec. Publ XXXXXXXXXXRevision 2, 79 pages (Aug. 2012)
CODEN: NSPUE2
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD XXXXXXXXXX
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the
est available for the purpose.
There may be references in this publication to other publications cu
ently under development by NIST in
accordance with its assigned statutory responsibilities. The information in this publication, including concepts
and methodologies, may be used by Federal agencies even before the completion of such companion
publications. Thus, until each publication is completed, cu
ent requirements, guidelines, and procedures, where
they exist, remain operative. For planning and transition purposes, Federal agencies may wish to closely follow
the development of these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and provide
feedback to NIST. All NIST publications, other than the ones noted above, are available at
http:
csrc.nist.gov/publications.
karenw
Typewritten Text
http:
dx.doi.org/10.6028/NIST.SP.800-61r2
COMPUTER SECURITY INCIDENT HANDLING GUIDE
iv
Abstract
Computer security incident response has become an important component of information technology (IT)
programs. Because performing incident response effectively is a complex undertaking, establishing a
successful incident response capability requires substantial planning and resources. This publication
assists organizations in establishing computer security incident response capabilities and handling
incidents efficiently and effectively. This publication provides guidelines for incident handling,
particularly for analyzing incident-related data and determining the appropriate response to each incident.
The guidelines can be followed independently of particular hardware platforms, operating systems,
protocols, or applications.
Keywords
computer security incident; incident handling; incident response; information security
COMPUTER SECURITY INCIDENT HANDLING GUIDE
v
Acknowledgments
The authors, Paul Cichonski of the National Institute of Standards and Technology (NIST), Tom Millar of
the United States Computer Emergency Readiness Team (US-CERT), Tim Grance of NIST, and Karen
Scarfone of Scarfone Cybersecurity wish to thank their colleagues who reviewed drafts of this document
and contributed to its technical content, including John Banghart of NIST; Brian Allen, Mark Austin,
Brian DeWyngaert, Andrew Fuller, Chris Hallenbeck, Sharon Kim, Mischel Kwon, Lee Rock, Richard
Struse, and Randy Vickers of US-CERT; and Marcos Osorno of the Johns Hopkins University Applied
Physics Laboratory. A special acknowledgment goes to Brent Logan of US-CERT for his graphics
assistance. The authors would also like to thank security experts Simon Burson, Anton Chuvakin
(Gartner), Fred Cohen (Fred Cohen & Associates), Mariano M. del Rio (SIClabs), Jake Evans (Tripwire),
Walter Houser (SRA), Panos Kampanakis (Cisco), Kathleen Moriarty (EMC), David Schwalenberg
(National Security Agency), and Wes Young (Research and Education Networking Information Sharing
and Analysis Center [REN-ISAC]), as well as representatives of the Blue Glacier Management Group, the
Centers for Disease Control and Prevention, the Department of Energy, the Department of State, and the
Federal Aviation Administration for their particularly valuable comments and suggestions.
The authors would also like to acknowledge the individuals that contributed to the previous versions of
the publication. A special thanks goes to Brian Kim of Booz Allen Hamilton, who co-authored the
original version; to Kelly Masone of Blue Glacier Management Group, who co-authored the first revision;
and also to Rick Ayers, Chad Bloomquist, Vincent Hu, Peter Mell, Scott Rose, Murugiah Souppaya, Gary
Stoneburner, and John Wack of NIST; Don Benack and Mike Witt of US-CERT; and De
a Banning,
Pete Coleman, Alexis Feringa, Tracee Glass, Kevin Kuhlkin, Bryan Laird, Chris Manteuffel, Ron
Ritchey, and Marc Stevens of Booz Allen Hamilton for their keen and insightful assistance throughout the
development of the document, as well as Ron Banerjee and Gene Schultz for their work on a preliminary
draft of the document. The authors would also like to express their thanks to security experts Tom Baxter
(NASA), Mark Bruhn (Indiana University), Brian Ca
ier (CERIAS, Purdue University), Eoghan Casey,
Johnny Davis, Jr. (Department of Veterans Affairs), Jim Duncan (BB&T), Dean Fa
ington (Wells Fargo
Bank), John Hale (University of Tulsa), Georgia Killcrece (CERT
®
CC), Ba
ara Laswell (CERT
®
CC),
Pascal Meunier (CERIAS, Purdue University), Jeff Murphy (University of Buffalo), Todd O’Boyle
(MITRE), Marc Rogers (CERIAS, Purdue University), Steve Romig (Ohio State University), Robin
Ruefle (CERT
®
CC), Gene Schultz (Lawrence Berkeley National Laboratory), Michael Smith (US-
CERT), Holt Sorenson, Eugene Spafford (CERIAS, Purdue University), Ken van Wyk, and Mark Zajicek
(CERT
®
CC), as well as representatives of the Department of the Treasury, for their particularly valuable
comments and suggestions.
COMPUTER SECURITY INCIDENT HANDLING GUIDE
vi
Table of Contents
Executive Summary .............................................................................................. XXXXXXXXXX1
1. Introduction ................................................................................................... XXXXXXXXXX4
1.1 Authority ................................................................................................. XXXXXXXXXX4
1.2 Purpose and Scope ................................................................................ XXXXXXXXXX4
1.3 Audience ................................................................................................ XXXXXXXXXX4
1.4 Document Structure ............................................................................... XXXXXXXXXX4
2. Organizing a Computer Security Incident Response Capability ................ XXXXXXXXXX6
2.1 Events and Incidents ..................................................................................