Beschreibung:
In the world of incident response, information is everything. The sooner incidents and vulnerabilities are detected and understood, the faster they can be handled and the less damage is caused. Accurate and timely information may help incident handlers reduce the number of infections, or address vulnerabilities before they are exploited. Unfortunately, although security information sharing is now commonplace, it has not always improved the situation for incident response teams. Extracting timely information, that can be immediately acted on from vast amounts of all types of data flowing in, remains a challenge. This type of information is referred as "actionable information" and identified as one of the fundamental building blocks of successful incident response. This document is intended as a good practice guide for the exchange and processing of actionable information. The report is relevant to incident response in all types of organizations, the primary audience of this study is national and governmental CERTs. The scope of the study is purposefully broad. Many of the issues related to making information actionable for CERTs have not been adequately explored in previous publications. The goal for this report was to touch on a wide variety of challenges that should be addressed in the area of processing information. Another goal of the study is also to outline a general framework that could be used as the basis for future, more detailed, studies.