Incident Response resources
Here’s a fairly typical request from clients and students alike: “I was wondering if you can recommend any whitepapers on incident escalation and handling. Additionally, if there’s any books you can recommend, I’d sure appreciate the info.”
Enough so that I ought to share my answer someplace I can link to, because I’m lazy:
First, yes, there are several "whitepapers" that I've found to be very useful, from Carnegie Mellon's Software Engineering Institute (sponsor of the CERT/CC (tm)).
First and foremost, you should consult their Handbook for CSIRTs (It's far more than a "whitepaper" though, as you'll see).
In addition to that, I'd look at their extensive State of the Practice document, their whitepaper on different organizational models, and finally their more recent report on Defining Incident Management Processes.
They have also published a couple of Handbooks on Forensics that are indispensable: First Responders Guide to Computer Forensics and First Responders Guide to Computer Forensics: Advanced Topics. Anyone working as an incident handler should at a minimum be familiar with the essential concepts in that first one.
Now, if that's not enough reading for you, the only published-for-money book I have used in my other classes is "Incident Response: A Strategic Guide..." by Dr. Eugene Schultz. It's no more comprehensive than the above documents -- actually quite a bit less so. But it does provide a more gentle introduction that remains cogent and fairly comprehensive (as introductions go).
/jonathan
Weblog Entry
Wednesday, June 14, 2006
Entry Notes
Category: Stand on the Shoulders of Giants
Event: Typical student request.
Weather: June in Chicago was nice.
Other Details:
It was a clever student who asked this question this particular time. He works for an international bank who is very lucky to have him.
(Pleasure having you in class, Robert.)
