Incident Coordination

When a cyber incident occurs, such as a spear-phishing attack, a configuration error, or a denial-of-service (DoS) attack, defenders may need to reach out to Computer Security Incident Response Teams (CSIRTs), Law Enforcement, Internet Service Providers (ISPs), product vendors, and others for assistance and coordination.

Depending on the nature of the incident and how widespread it is, a task force and/or command post may be established to focus investigation and identify solutions quickly. Incident coordination is an important aspect of a strong incident response capability.

The Trusted Automated eXchange of Indicator Information (TAXII) supports incident coordination by facilitating secure exchange of Structured Threat Information eXpression (STIX) documents containing structured cyber threat information, to include incident information.

The Incident Object Description Exchange Format (IODEF) defined in RFC5070 and being updated by the Managed Incident Lightweight Exchange (MILE) Working Group also supports incident coordination. IODEF is a data representation for commonly shared incident information, and companion standards Real-time Inter-network Defense (RID) and Real-time Inter-network Defense-Transport (RID-T) enable IODEF data to be exchanged in a secure manner.