IT Security Incident Response

Incident response or incident managment

Concepts related to Incident Response

A Security Operations Center (SOC) is a team within an organization that monitors systems for security events and focus on incident response. They may use a SIEM tool.

Monitoring is an important part of Incident Response.

Log management is one important field of IT security operations. You can read more about it, SIEM and SOAR on this post.

It is important to take into account the Indicators of Attack (IoA) and Indicators of Compromise (IoC). They are for networks what signatures are for viruses.

Incident Response Standards

Standards for incident response:

  • ISO/IEC 27035-1
  • NIST SP 800-61
  • ENISA’s Good Practice Guide for Incident Management

ISO/IEC 27035-1 is about IT incident management.

NIST SP 800-61 has the title “Computer Security Incident Handling Guide” You can read more about it on this external link.

Good Practice Guide for Incident Management” is published by EU agency ENISA. You can read it on this external link.

Handbook for Computer Security Incident Response” by Carnegie Mellon University SEI. It can be downloaded from this external link.

Cloud Security Alliance (CSA) Cloud Incident Response (CIR) framework on this external link.

Incident Response Certifications for Profesionals

CERT Incident Response Process Professional Certificate. You can read more on this post.

Incident Management Course

SANS course “SEC504: Hacker Tools, Techniques, and Incident Handling“. You can read more about it on this post.

Incident Management Steps

Incident Management Steps are different depending on the source.

The incident management steps featured on this post are based on:

  • NIST SP 800-61

NIST SP 800-61 IR Steps

NIST SP 800-61 steps:

  1. Preparation
  2. Detection and analysis
  3. Containment, eradication, and recovery
  4. Post-incident recovery


CISSP IR steps:

  1. Detection
  2. Response
  3. Mitigation
  4. Reporting
  5. Recovery
  6. Remediation
  7. Lessons Learned

These steps are detailed in book “CISSP Official Study Guide 9th Edition”, pp. 804-809.

Computer Emergency Response Teams

A Computer Emergency Response Team (CERT) is a group of experts that handles computer security incidents. The, term CSIRT, as an acronym for Computer Security Incident Response Team or Cyber Security Incident Response Team is also used.

As computer threads started to appeared after the development of the internet on the late 80s, there was a need to create teams that knew how to handle computer security incidents.

A CERT could belong to a public institution (e.g., CISA-CERT, that belongs to American CISA) or a private organization (e.g., Amazon SIRT, that belongs to Amazon). Some CERTs have an international scope, while some other are more focused on a country.

Many countries have an official CERT, whose goal is to provide cyber security to their citizens and organizations.

The first team called CERT was CERT-CC, created in 1988. It belongs to the Carnegie Mellon University (USA).

At the beginning of the 90s, CSIRT were starting to be created in the European Union under the TERENA program.

In 1989, FIRST (Forum of Incident Response and Security Teams) was founded. It is a global association of CERTs, and some of the most important ones over the world belong to FIRST association.

You can find all CERT teams belonging to FIRST on this link.

You can find a list of CERTs related to Spain on this link.

There is also a full list of CERTs on this link.

List of some of the existing CERTs:

CCN-CERTSpainCentro Critológico Nacional (CCN)Link
ESPDEF-CERTSpainMando Conjunto del Ciberespacio (MCCE)Link
esCERTSpainUniversidad Politécnica de Cataluña (UPC)Link
CIRCL.luLuxemburgComputer Incident Response Center Luxembourg (CIRCL)Link
CERT-EUEuropean UnionEuropean CommissionLink
CERT/CCUSACarnegie Mellon Software Engineering Institute (SEI)Link

Incident Response Tools

Incident Response Tools featured on this post:

  • AWS Kill Switch

AWS Kill Switch

AWS Kill Switch is an incident response tool for quickly locking down AWS accounts and IAM roles during a security incident.

It is free and open source software (FOSS).

AWS Kill Switch code repository

Incident Response Regulations

Incident Response Regulation in Spain

There is the Real Decreto 43/2021, de 26 de enero, por el que se desarrolla el Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información. You can read it on this link.

You might also be interested

Leave a Reply

Your email address will not be published. Required fields are marked *