Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


FIRST CSIRT Case Classification


Incident Categories

All incidents managed by the CSIRT should be classified into one of the categories listed in the table below.

Denial of service
Sensitivity: S3
DOS or DDOS attack.
Sensitivity: S1
Any forensic work to be done by CSIRT
Compromised Information
Sensitivity: S1
Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property.
Compromised Asset
Sensitivity: S1,S2
Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host.
Unlawful activity
Sensitivity: S1
Theft / Fraud / Human Safety / Child Porn. Computer-related incidents of a criminal nature, likely involving law enforcement, Global Investigations, or Loss Prevention.
Internal Hacking
Sensitivity: S1, S2, S3
Reconnaissance or Suspicious activity originating from inside the Company corporate network, excluding malware.
External Hacking
Sensitivity: S1, S2, S3
Reconnaissance or Suspicious Activity originating from outside the Company corporate network (partner network, Internet), excluding malware.
Sensitivity: S3
A virus or worm typically affecting multiple corporate devices. This does not include compromised hosts that are being actively controlled by an attacker via a backdoor or Trojan. (See Compromised Asset)
Sensitivity: S3
Spoofed email, SPAM, and other email security-related events.
Sensitivity: S1, S2, S3
Security consulting unrelated to any confirmed incident.
Policy Violations
Sensitivity: S1, S2, S3
Sharing offensive material, sharing/possession of copyright material.
Deliberate violation of Infosec policy.
Inappropriate use of corporate asset such as computer, network, or application.
Unauthorized escalation of privileges or deliberate attempt to subvert access controls.

Criticality Classification

The criticality matrix defines the minimal customer response time and ongoing communication requirements for a case. The criticality level should be entered into the ITS when a case is created, and it should not be altered at any point during the case lifecycle except when it was incorrectly classified in the first place. Typically the IM will determine the criticality level. In some cases it will be appropriate for the IM to work with the customer to determine the criticality level.

Incident affecting critical systems or information with potential to be revenue or customer impacting.
Incident affecting non-critical systems or information, not revenue or customer impacting. Employee investigations that are time sensitive should typically be classified at this level.
Possible incident, non-critical systems. Incident or employee investigations that are not time sensitive. Long-term investigations involving extensive research and/or detailed forensic work.

Sensitivity Classification

CSIRT IM’s should always apply the “need to know” principle when communicating case details with other parties. The sensitivity matrix below helps to define “need to know” by classifying cases according to sensitivity level. The ‘Required’ column defines the parties that “need to know” for a given sensitivity level. The ‘Optional’ column defines the other parties that may be included on communications, if necessary. Typically the IM will determine the sensitivity level. In some cases it will be appropriate for the IM to work with the customer to determine the sensitivity level.

Extremely Sensitive.
Not Sensitive.

Machine-parsable FIRST CSIRT Case Classification

The repository contains a JSON file including the machine-parsable tags along with their human-readable description. The software can use both representation on the user-interface and store the tag as machine-parsable.


Author: Dustin Schieber dschiebe@cisco.com Gavin Reid gavreid@cisco.com