Incident Response Practices Across National CSIRTs: Results from an Online Survey

The aim of this study is to obtain operational insights of real-world practices across national CSIRTs, concerning cyber incident reporting channels, ticketing tools, incident classification schemes, and ways to identify appropriate responses. An online survey involving 19 staff members of 17 national CSIRTs was conducted, leading to four major findings. First, multiple reporting channels are provided by national CSIRTs for prompt incident reporting. Second, free and open-source ticketing tools are popular among national CSIRTs for tracking reported incidents. Third, different incident classification schemes are used across national CSIRTs, indicating a lack of standardised approaches that can have important implications (for example, difficulties in cross-CSIRT information sharing). Fourth, for classifying incidents and identifying appropriate responses, manual approaches are used more than automated ones. We conclude that more cross-CSIRT efforts are needed to define a more standardised cyber incident classification scheme, and to develop more automated tools to support national CSIRTs' operations.