The `Actionable information for Security Incident Response` study is intended as a good practice guide for the exchange and processing of actionable information. The report is relevant to incident response in all types of organizations, the primary audience of this study isnational and governmental CERTs. The scope of the study is purposefully broad. Many of the issues related to making information actionable for CERTs have not been adequately explored in previous publications. The goal for this report was to touch on a wide variety of challenges that should be addressed in the area of processing information. Another goal of the study is also to outline a general framework that could be used as the basis for future, more detailed, studies.
The main contributions of this study are as follows:
• A definition of actionable information for CERTs and identification of its 5 key properties: relevance, timeliness, accuracy, completeness, ingestibility.
• Introduction of a generalized information processing pipeline for the processing of actionable information. This pipeline consists of 5 stages: collection, preparation, storage, analysis and distribution. Each stage is discussed in detail with recommendations on how to approach implementation.
• A set of 3 detailed case studies that cover various aspects of handling actionable information by CERTs: “Using indicators to enhance defense capabilities,” “Improved situational awareness through botnet monitoring, ” “Effective data exchange on a national level.”
• A hands-on exercise that expands on these case studies by walking a student through a concrete information processing and sharing scenario.
• An inventory of 53 information sharing standards and 16 information management tools relevant to the concept of actionable information. This inventory is available as a separate document, titled “Standards and tools for exchange and processing of actionable information. ”
• Identification of gaps and recommendations in the exchange and processing of actionable information. In particular, despite the improvement ingeneral awareness of the issues involved, the emergence of new standards such as STIX/TAXII, and new tools, the exchanges have not yet reached full maturity.