The CERT assessment tool: Increasing a security incident responder's ability to assess risk

Abstract

We set out to create an assessment and situational awareness tool for incident response. Extracting the risk assessment expertise and creating a systemic step-by-step workflow that could be followed by non-experts was challenging; however, what proved to be even more difficult was the mapping of that workflow to a common, natural language used by non-experts while still supporting the incident response. We at the Digital Intelligence and Investigation Directorate (DIID) have developed a way to maintain the velocity of incident response through the creation of a feed-forward decision support system to assist a security responder deal with the scale and challenges of assessing risk in critical information systems. Unfortunately, many applications fall short of expectations because the technology is used inappropriately: the wrong tool applied in the wrong way. Taking interaction techniques combined with a decision support system and applying them to one particularly demanding area - security incident response - leads to the conclusion that there is a proper and formal way to approach maintaining situational awareness in this complex domain. The CERT Assessment Tool increases a security incident responder's ability to assess risk and identify the incident response plan of critical information systems. The interface has four primary affordances to the user: (1) digital storage of the collected interview data with tagging of the information to create meta data of the objects as well as standardize terminology by reusing objects, (2) structured data that enables situational awareness of all systems on site and flexibility and recursion of system attributes, (3) guidance questions that provide runtime support for the system currently being assessed and a general direction to better assess each system based on historical data, and (4) real-time rules that make recommendations to the user through `push' notifications, which enables a user to identify and mitigate risk in information systems security affecting the safety of a system or the implementation of the security plan. The creation of a security decision support system framework to represent a series of steps to view the entire space of a security incident allows us to use techniques specifically designed or selected to align with one of the three identified stages of incident response - pre-incident (perception), during the event (comprehension), or after the event (projection). This combination of rules based on machine learning and push notifications are a first step in how computers will be able to support and advance the decision support technologies that are the backbone of this system.