Skip to content

Actions

The definitions are linked to the FIRST CSIRT services framework v2.1, for services that a CSIRT might provide.

Detect

identify potential incidents.

Services: Monitoring and Detection; Incident Report Acceptance.

Note: The phase of incident management where the IR team wants to confirm and gather additional detection tools and signatures is part of the Mitigation phase, not Detection. The Detection action focuses only on initial detection of the incident.

Mitigate

contain an incident and restore secure operations.

Services: Mitigation and Recovery.

Prevent

using DNS-specific steps, make it less likely incidents of this type will occur in the future.

Services: Knowledge transfer (including to internal IT teams); Vulnerability Response;

also relates to detection (possibly updating the signatures and detection rules) and recovery (during recovery, should the system be reconfigured to prevent recurrence).

Note that broad anti-malware prevention is out of scope. Of course everyone should do the broad anti-malware practices, see for example Best Practices | M3AAWG.