Unlike firefighting -- which has been in existence for centuries -- computer incident response is a comparatively new area that began in 1988 with the establishment of the Carnegie Mellon University Computer Emergency Response Team Coordination Center (CERT/CC) in Pittsburgh, PA. Incidents certainly occurred and were handled before this, but it is only since 1988 that incident response has taken shape as a distinct discipline within the information security profession. Previously, an incident in a typical organization was handled by the organization’s IT staff and/or its security staff in a more or less ad hoc manner. The results, as might be expected, tended to be hit or miss, and were frequently:
Unfocused, with no one knowing who was in charge of the situation
Not tightly synchronized with senior management’s wishes and priorities in mind
Costly, although such ad hoc incident response situations were not even sufficiently organized to provide an accurate accounting of actual costs
The history of incident response as a discrete discipline goes back to November 1988, when a young Cornell University graduate student named Robert T. Morris wrote a program known as a worm , and subsequently unleashed it on the fledgling Internet. Due primarily to the unavailability of large portions of the Internet, the incident resulted in what seemed to be panic and pandemonium. During the incident, individual system administrators, researchers, and others involved in the incident acted independently to analyze and thwart the worm program as it traversed the Internet.
In the aftermath of the Morris Worm, a postmortem study and resulting list of recommendations prompted the Defense Advanced Research Projects Agency (DARPA) to establish and fund the first officially recognized incident response team, the Computer Emergency Response Team (CERT). The CERT, later referred to specifically as CERT Coordination Center (CERT/CC), was established at Carnegie Mellon University’s Software Engineering Institute, itself a federally funded research and development center. By design, the establishment of the CERT Coordination Center spawned numerous other incident response teams (IRTs) throughout the world, each one serving its own community or constituency.
The formation of these additional IRTs served to catalyze another entity, the Forum of Incident Response and Security Teams (FIRST). The purpose of FIRST, which we discuss in greater detail in Appendix A, is to act as a facilitating body for the community of incident response teams. Within FIRST are several dozen IRTs representing academia, government/military, computer system vendors, and other segments of private enterprise.
Since the formation of these early organizations, incident response has evolved into a mature discipline, with dozens of conference, workshop, and seminar sessions dedicated to educating people on the subject. All of this activity served to develop incident response as a recognized discipline. More recent developments have included numerous commercial incident response teams, workshops that focus exclusively on incident response, and an increasingly large selection of tools for an incident response team to use when responding to incidents.