NIST publishes updated guide for managing computer security incidents by: Mark Rockwell.
Mark provides a brief overview of the National Institute of Standards and Technology (NIST), Computer Security Incident Handling Guide.
At seventy-nine (79) pages it isn’t everything you will want to know but its a starting point.
Of particular note is the section on sharing information with others, which reads in part:
The nature of contemporary threats and attacks makes it more important than ever for organizations to work together during incident response. Organizations should ensure that they effectively coordinate portions of their incident response activities with appropriate partners. The most important aspect of incident response coordination is information sharing, where different organizations share threat, attack, and vulnerability information with each other so that each organization’s knowledge benefits the other. Incident information sharing is frequently mutually beneficial because the same threats and attacks often affect multiple organizations simultaneously.
As mentioned in Section 2, coordinating and sharing information with partner organizations can strengthen the organization’s ability to effectively respond to IT incidents. For example, if an organization identifies some behavior on its network that seems suspicious and sends information about the event to a set of trusted partners, someone else in that network may have already seen similar behavior and be able to respond with additional details about the suspicious activity, including signatures, other indicators to look for, or suggested remediation actions. Collaboration with the trusted partner can enable an organization to respond to the incident more quickly and efficiently than an organization operating in isolation.
This increase in efficiency for standard incident response techniques is not the only incentive for cross-organization coordination and information sharing. Another incentive for information sharing is the ability to respond to incidents using techniques that may not be available to a single organization, especially if that organization is small to medium size. For example, a small organization that identifies a particularly complex instance of malware on its network may not have the in-house resources to fully analyze the malware and determine its effect on the system. In this case, the organization may be able to leverage a trusted information sharing network to effectively outsource the analysis of this malware to third party resources that have the adequate technical capabilities to perform the malware analysis.
I would summarize all that as follows:
For all of the $Billions spent on computer security, teams of security experts, software, audits, etc., why do black hats stay ahead of the game?
Leaving all the tedious self-justification of the security industry to one side, the answer is quite simple: Black Hats share information.
Whether the information is about social engineering, exploits to software, insecure networks or techniques for any of the foregoing, Black Hats share information.
I am not suggesting that the NSA publish its network woes on Facebook (although someone created a page for it: Facebook – NSA) but it should be capable of automatic sharing of computer security incidents with like minded agencies.
Topic maps could help both share and filter the sharing of information in a highly automated fashion.
Don’t know that you would catch up to the Black Hats but at least you would not be losing ground.