Operationalizing the coordinated incident handling model

Cyber threats are becoming increasingly sophisticated and subtle, making them even harder to detect and contain, and the number of critical, often simultaneous cyber incidents continues to rise at an alarming rate. In this environment, coordinated incident handling across a variety of organizations and incidents is essential for effective response. Current approaches use linear processes developed to handle single incidents with little attention paid to simultaneous or complex attacks encompassing many incidents, to coordination with other organizations, or the ability to scale to the size necessary for large, cross-cutting incidents. We have developed a coordination model for cyber incident management that provides enough structure to enable cooperative operations, but is sufficiently abstract to enable the organizational autonomy and customization essential for effective response for all types of organizations. It is easily understood, straightforward to apply, and versatile enough to overlay on existing organizational processes and structures, both for small, local activities as well as large, cross-organizational ones. This model will enable faster recognition and more rapid escalation of important cyber incidents as well as improving knowledge about such incidents for organizational peers across the community, further enhancing their local response capabilities.