Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Questions regarding the new US-CERT reporting guidelines SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Questions regarding the new US-CERT reporting guidelines
Hello all:

I hope I can get some help here. I am tasked with aligning my SOC's reporting process/procedures/taxonomy with the new US-CERT guidelines. Working on this task has revealed some concerns with the SOP(s) currently in place, and I'm trying to come up with a good solution that fulfills the goals dictated to me by my leadership. To that end, I have a few questions. Disclaimer: I am not, by training, a Security Analyst (I am a computer forensics analyst), thus, I am on the DF side of the DFIR community, so my questions may seem a bit misguided or naive. I apologize if that is the case. That being said, on to the questions:

1) Has anyone in the community come up with a (at-least semi-concrete) set of high-level classifications for most of the cyber attacks the security community deals with on a regular basis. For example, I've seen lists of cyber threats that include the following different categories:

phishing attacks
spearphishing attacks
spam

I would put those into the top-level category of "email-based attacks".

Another example:

Viruses
Worms
Trojans


I would put those into the top-level category of "malware"

Hopefully you get the idea.

2a) This question is one more of curiosity. How are people reacting to the new US-CERT guidelines? I understand why US-CERT is doing it (better metrics), but why take the attack descriptors (as outlined in NIST 800-61) and make them "hard and fast" categories. NIST specifically recommends against doing that in 800-61. Why didn't US-CERT merely say, for example: "starting on date xx/yy/zzzz, in addition to reporting incidents using the legacy incident reporting category system (i.e CAT 0-6), please qualify the incident using the the RIFT Coding (my nomenclature - Recoverability Impact, Information Impact, Functionality Impact and Threat Vector) System.

2b) What are people doing to reconcile the CAT 0-6 system with the new US-CERT reporting system?
Ev

1 Posts
<br />
Choosing between intoxicant rehab centers can be serious. It is beta to feel a clinic at which you believe cozy. Numerous clinics offer technical work for indisputable religions, age, genders or new groups.<br />
<br />
<span style="background-color: #ea9999;">Salaried for communication can seem overwhelming, but some shelter plans meet any of the outgo of rehab. If contract does not compensate enough and you cannot open the place of the peak, galore steroid rehab centers supply finance options.</span><br />
<div>
<br /></div>
Anonymous

-

Sign Up for Free or Log In to start participating in the conversation!