INCIDENT HANDLING (IRIS-CERT Service)


INCIDENT MANAGEMENT

Closing values and institutional KPIs

Attacks and the evolution of their resolutions are recorded in the IRIS-CERT incident management tool. Therefore, it should be noted, resolution values are computed for the institutional KPIs.

Currently, the source of the attack and the resolution value of the incident are indicated so they can analyse and improve their quality parameters.

The possible closing values are:

  • Solved successfully (Solutions provided): the problem has been solved. The adopted measures are provided and the origin and cause of the attack are explained. Both conditions must be met to close with this value.

  • Solved successfully (Solutions not provided): the problem has been solved. The adopted measures are not provided or the origin and cause of the attack are not explained. Included within this category are those incidents that are successfully solved for which no clarifying internal investigation of the attack has been opened (i.e., rapid measures that prevent investigation: formatting, removal of malicious content without knowing how the computers were accessed, etc.)

  • Partially resolved: Precautionary measures are provided to abate the attack, but not to solve the root problem (i.e., IP filtering, switching off the machine).

  • Closure ordered by the customer: Additional information is not provided on adopted measures or the cause and origin of the attack. Thus IRIS-CERT cannot ensure that the resolution was successful. The customer, therefore, explicitly or implicitly requests closure of the incident without providing relevant information.

  • False positive: the customer or the RedIRIS security team determines that the connections are permissible, as they pertain to research projects or other controlled activities.

  • Unresolved problem (Response received): It is technologically impossible to achieve a solution to the problem or the customer indicates that it does not know how to resolve it even with IRIS-CERT directions. Included within this category are those incidents that are escalated to the computer technicians or institutional systems administrators and that do not provide any response. In general, this type of action prevents the regular IRIS-CERT action protocol (i.e., follow-up messages) from continuing.

  • Unresolved problem (No response received): the customer does not address the incident or the follow-up messages. Also included within this group are those incidents which are not solved in spite of receiving an AutoReply.

Note: In the event that the resolution value of your incident is not positive, you can switch to "Successfully solved (solutions provided)" by responding to the ticket closure message with the causes of the attack and the solutions provided.





What is the function of the closing values?

Closing values not only focus on the description of the solution provided by the affected institution, but also try to show the solution level that has been reached in each of the incidents.

The main reason is that the work of disinfection/repair of machines affected by malware is usually an internal task for each institution and trivial compared to a thorough understanding of its causes.

Having detailed information on the causes that have given rise to some specific malicious activity permits us to, among other things, help other RedIRIS member institutions solve similar problems and have a source of knowledge from which our entire Community can benefit.

With everyone's efforts, the more detailed the information, the more personalised help we can offer your institution in facing any abnormality.