Trust and Internet Identity Meeting Europe
Feb 2020: Workshops and Unconference

Incident response tools

(Laura Paglione)

Laura: The main focus of the session is set on the necessary requirements for communication tools that will allow all stakeholders to easily and efficiently communicate in the event of a security related incident. Its scope is not who should participate, who is entitled to what, how the communication should proceed etc.

Focusing on gathering requirements from experience with incident related cases, what has failed so far, what is being used at the moment, how secure these channels are and what could be improved.

Focus in SIRTFI: Security Incident Response Trust Framework

Relevant possible tools:

  1. PGP
  2. Encrypted IRC
  3. Slack Channels
  4. MISP
  5. Discord
  6. Keybase
  7. MSP
  8. Fordrop
  9. Time sketch
  10. Matter most

Requirements were gathered from suggestions & discussion in the room.

The tool to facilitate communication should ensure:

  • Secure communication
  • The possibility to add people on the fly
  • The ability to limit who can see the discussion
  • The ability to limit who can participate in the discussions and different threads
  • Threaded / selective audiences
  • Interactivity
  • Grouping
  • Categorization
  • Clear scope of the incidents
  • The ability for “regular folks” to be included
  • Secure protocol - easy to use common interface
  • Uncomplicated tooling
  • The ability to kick off processes, scripts and automated system responses
  • The ability for communication receivers (individuals) to make decisions on how “heavy load” the channel is for them
  • Fast to spin up - there is never extra time to take care of which tool to use during an incident event
  • Help in getting the right people involved in the communication
  • Talking to the id events people to get ideas
  • Setting clear coordinator(s) of the incident
  • A clear and “known” location for the conversation & information
  • Not being overdesigned (the big plus of emails)
  • Hints relating to where an incident might be starting up
  • Private channels
  • Threat feeds (SIRTFI “phase 4”)
  • Enforcement of SIRTFI communication guidelines support
  • Mobile accessibility
  • Presentation and refreshing of the security contact lists (pre-conditions)

Momentarily we are focusing more on reacting to incidents rather than anticipating them and developing tools that hint to possible threats. Maybe we should switch to the vice versa approach!