Identifying the attacking host a secondary concern in cyber-incident response, says NIST
Cybersecurity incident handling should focus principally on containment, eradication and recovery, and secondarily on identifying the attacking host or hosts, according to final guidance, SP 800-61 Revision 2 (.pdf), published Aug. 8 by the National Institute of Standards and Technology.
"Identifying an attacking host can be a time-consuming and futile process that can prevent a team from achieving its primary goal--minimizing the business impact," writes NIST.
This latest revision to NIST's "Computer Security Incident Handling Guide" differs from the draft, which was published in February 2012, by changing the objective from "identifying the attacker" to "identifying the attacking host."
Publication authors say in investigating the host, compromised agencies often focus on the attacking host's IP address by validating that the address was not spoofed. This approach is flawed, however, because verifying connectivity simply indicates that a host at that address does or does not respond to the requests. "The attacker may have received a dynamic address that has already been reassigned to someone else," notes NIST.
Using a search engine to find more information on the apparent source IP address could provide more information, as could checking the address against an incident database. Incident handlers may also want to monitor communication channels that may be used by the attacking host, says NIST.
"Attackers may congregate on certain IRC [Internet relay chat] channels to brag about their compromises and share information," write authors. "However, incident handlers should treat any such information that they acquire only as a potential lead, not as fact."
The final publication expands guidance on information sharing with outside parties. Agencies should have policies in place for communicating with the media, Internet service providers, vendors of vulnerable software, law enforcement and other incident response teams, says NIST.
The publication also includes revised incident response life cycle diagrams, such as the one below.
- download the "Computer Security Incident Handling Guide," SP-800-61 Rev.2 (.pdf)
NIST instructs agencies on cyber-incident response
Agencies should layer intrusion detection and protection systems, says NIST
Defensive architecture at the core of NIST cybersecurity guidance