Incident Response Methodology

Some time ago, CERT Société Générale decided to launch a new, exciting project, which we quickly called “IRM”. This acronym stands for Incident Response Methodology.

Our initial goal was to create some kind of cheat sheets for our internal colleagues working in the IT field, to help them act and react on specific incidents or events. We started writing those IRMs, which got a very warm welcome internally, pushing us forward to continue producing them. While we initially planned to create five or six IRMs, we quickly published ten of them and we still had some ideas for further ones.

After a while, we thought it could be a good idea to release them publicly on our website to improve information sharing among the computer security community.

On April 28, 2011, we released our first IRM and tweeted about it. We decided to release one IRM every week. For weeks, we released the IRMs, and we have to say we were astonished and very surprised by the amount of downloads. We also got great feedback, showing us that people actually cared ; a important reward for our work.

As of today, the complete IRM list is the following:

IRM-1 : Worm infection
IRM-2 : Windows intrusion
IRM-3 : Unix intrusion
IRM-4 : Distributed Denial of Service
IRM-5 : Malicious Network Behaviour
IRM-6 : Website Defacement
IRM-7 : Windows Malware Detection
IRM-8 : Blackmail
IRM-9 : Malware on smartphone
IRM-10 : Social Engineering
IRM-11 : Information Leakage
IRM-12 : Insider Abuse
IRM-13 : Phishing
IRM-14: Scam
IRM-15: Trademark Infringement

Expect more to come from us in the near future, we still have ideas ;-)

We would also like to thank the SANS Institute, who released great cheat sheets which gave us the idea and the motivation to write our own. Thank you very much guys! :-)

Also, please feel free to send us any comment/feedback on the IRMs. They are not written in stone. We would upgrade them as needed. Ideas on future IRMs you’d like seeing are also welcome!