Professional Documents
Culture Documents
Faculty of Informatics
Master’s Thesis
Mariami Gonashvili
Mariami Gonashvili
i
Acknowledgements
I would first like to thank my supervisor Jan Vykopal for providing
with his guidance and recommendations. His support and guidance
gave me valuable experience during the writing of this thesis.
I would also like to thank Martin Horák, who was my consultant
during the writing of this thesis and gave me guidance on how to
better understand knowledge management.
I would also like to express my gratitude to Martin Laštovička and
Martin Macháč for the interviews and introducing me to their incident
response environment and to Michal Čech for explaining his thesis.
Additionally, I would like to thank the Georgian governmental
scholarship, the International Education Center (IEC) for giving me
the study grant.
And last, thanks to my partner Michiel Johan Hendrik Marcus for
being my shoulder to lean on.
ii
Abstract
Computer security incident response teams provide the first line of
defence for security incidents. Timely response is highly important
to contain incidents as soon as possible. Therefore, effective knowl-
edge management in the incident response team is highly important.
The concept of knowledge management has also gained the interest
of many big organizations, because proper knowledge management
improves the performance of business processes.
This thesis focuses on knowledge management in Incident Re-
sponse teams. It suggests a customized knowledge management frame-
work for the Computer Security Incident Response Team of MU based
on a literature review of state-of-the-art knowledge management
frameworks and the business process of the respective incident re-
sponse team. This customized framework is applied in practice in
order to identify and find solutions for the knowledge requirements
for the incident response team. By closely reviewing the incident
handling process as a whole, the so-called "knowledge gaps" were
identified. Several solutions were considered and compared and fi-
nally turned into a prototype knowledge management system. The
system that was already used by the incident handling team was ex-
tended to centralize relevant documentation and automate processes
that would otherwise require manual work and cause delays. This
will help the operational team to efficiently communicate information
and guarantee an optimized work-flow.
iii
Keywords
CSIRT-MU, Incident handling, knowledge, knowledge management,
knowledge management systems, RT/RTIR, RT articles
iv
Contents
1 Introduction 1
3 Knowledge Management 12
3.1 Definition of knowledge . . . . . . . . . . . . . . . . . . . . 12
3.2 Types of knowledge . . . . . . . . . . . . . . . . . . . . . . 14
3.3 The SECI model . . . . . . . . . . . . . . . . . . . . . . . . 15
3.4 Definition of Knowledge Management . . . . . . . . . . . . 16
3.5 Knowledge Management in organizations . . . . . . . . . . 17
3.6 Knowledge Management frameworks . . . . . . . . . . . . . 17
3.7 Knowledge Management processes . . . . . . . . . . . . . . 18
3.8 Knowledge Management success and failure factors . . . . . 21
6 Conclusion 65
6.1 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . 66
v
Bibliography 68
Index 71
vi
List of Tables
2.1 A list of CSIRT Services [2] 6
5.1 A comparision between RT and Redmine 59
vii
List of Figures
2.1 Incident Resolution cycle [2] 8
2.2 An example of a phishing email 10
3.1 Three-level hierarchy 12
3.2 Knowledge Management Processes 19
3.3 Knowledge Management Failure Factors 23
4.1 A systems thinking framework 25
4.2 KM cycle [21] 28
4.3 The GPO-WM implementation mode [24] 35
4.4 The second layer of The European KM framework 39
4.5 A general project management scheme for KM
implementation [25] 43
5.1 The time-line and the details of implementation of KM
in Incident response team 53
5.2 RT articles 58
5.3 Integrated incident handling manual in RT/RTIR: On
the left side of the figure, the incident handling
document is shown; In the middle, it is depicted how
guidelines for different incidents are integrated in RT
articles; and on the right side of the figure, it is shown
how rt articles will be connected to tickets. 61
viii
1 Introduction
Computer security incident response teams provide response to se-
curity incidents. Nowadays, the number of computer incidents is
growing and they are getting more sophisticated. Cyber security inci-
dents often lead to significant damage to organizations, such as data
loss, business process interruption or breach of privacy, which is why
timely and effective response is imperative.
The incident handling process typically starts when an incident is
reported to the incident response team. The incident is then assigned
to team members who are tasked with finding a resolution. After this,
an investigation and resolution process follows in order to contain the
incident and limit the damage. To make sure this incident handling
process happens optimally, it is essential that the right knowledge is
available to the right people at the right time. A proper knowledge
management system is essential for each organization as it increases
the performance and effectiveness of the business processes. It helps
organizations to realize what knowledge assets exist within the organi-
zation and what knowledge is missing to perform business processes
with the best result, also known as a knowledge gaps. Therefore, this
thesis focuses on knowledge management in incident response pro-
cess by analyzing how knowledge management is done in this process
and how a structured approach can identify the knowledge gaps and
solutions.
The thesis reviews state-of-the-art knowledge management frame-
works, which provide a bridge between theoretical concepts and actual
implementations, and uses them to suggest a customized knowledge
management framework for Masaryk University Computer Security
Incident Response Team (CSIRT-MU). This framework provides in-
structions and a custom implementation plan for knowledge manage-
ment within CSIRT-MU. As a result of applying the afore-mentioned
framework in practice, the strong and week points of knowledge man-
agement were identified for incident handling process of CSIRT-MU,
possible improvements were analyzed and assessed, and finally the
prototype of knowledge management system for incident response
team of CSIRT-MU was designed.
1
1. Introduction
2
2 CSIRT/CERT organizational context
This chapter covers what a CSIRT/CERT is, which problems it ad-
dresses and how it solves them.
2.1 CSIRT/CERT
In 1988, the "Internet Worm" Incident occurred, which resulted in the
largest number of compromised computers ever witnessed to that
point. At that time, there was no organization which would provide
response to security incidents. After the "Internet Worm" occurred,
the first CERT (Computer Emergency Response Team Coordination
Center) was formed to respond to computer incidents on the Inter-
net [1].
The term CERT was first used in 1989, when the host organization
(Carnegie-Mellon University) of CERT Coordination Center registered
"CERT" as a trademark. The term CSIRT (Computer Security Incident
Response Team) was introduced later in their CSIRT Handbook. Even
though CSIRT and CERT express the same concept, they are often
used interchangeably [2].
The development of the Internet has made business processes
more convenient and faster and communication all over the world
easier. A few examples are Governments, corporations, banks, schools,
different types of organizations performing daily business activities
over the Internet. However, due to the ever-increasing complexity of
Internet systems, mistakes and accidents can occur more easily and the
level of security problems in the computer systems grows with it. The
combination of the data available over the network and security flaws
in IT systems make IT systems an attack target. Therefore, Computer
incidents — the exploitation of vulnerabilities in IT systems — have
become more and more prominent. Security incident management is
essential for organizations in order to continue business processes and
protect organizational assets in case of a computer incident.
Since 1988, hundreds of CSIRTs/CERTs have been founded. Nowa-
days, CSIRTs/CERTs do not only respond to emergencies but also offer
services which prevent computer security incidents. CSIRTs/CERTs
may offer different services (shown in Table 2.1) such as a security au-
3
2. CSIRT/CERT organizational context
4
2. CSIRT/CERT organizational context
5
2. CSIRT/CERT organizational context
6
2. CSIRT/CERT organizational context
7
2. CSIRT/CERT organizational context
ECOVERY
AND R
ON
ATI DA
IC T
AD
A
AN
ER
AL
YSI
S
A C TIO N PERF O
Incident
Resolution
RCH
Cycle
SEA
RM
RE
ED
N
O
TI
L U
AC
TIO SO
NP RE
ROPOSED
third party is supposed to perform these actions. This signals the tran-
sition to the action performed step. During this step, the CSIRT/CERT
might monitor what actions actually are done. All these actions are
performed in order to recover the system which was attacked and it is
the real resolution of the problem [2].
8
2. CSIRT/CERT organizational context
2.4.6 Post-analysis
9
2. CSIRT/CERT organizational context
10
2. CSIRT/CERT organizational context
11
3 Knowledge Management
This chapter explains the concepts of knowledge and knowledge man-
agement and explains why knowledge management is important.
Knowledge
(Analyzed books)
Information
(A list of books sorted by content)
Data
(Alphabetically sorted books)
12
3. Knowledge Management
13
3. Knowledge Management
14
3. Knowledge Management
15
3. Knowledge Management
16
3. Knowledge Management
17
3. Knowledge Management
18
3. Knowledge Management
19
3. Knowledge Management
analysis and other knowledge maps are used to establish the location
of tacit knowledge sources [9].
20
3. Knowledge Management
21
3. Knowledge Management
6. IT related issues;
7. lack of KM understanding/standards;
On the other hand, in the paper [17], Alan Frost identifies and
describes the failure factors in details that have been discussed in
KM literature. The failure factors are organized into two categories:
causal and resultant (shown in Figure 3.3). The most of this causal
failure factors listed by Alan Frost covers the list of reasons listed in
the previous paragraphs.
It is important to identify which failure factors apply to a specific
situation. When it is known which aspects can go wrong, an approach
can be designed to contain the applicable failure factors. The failure
factors
From the above, it is clear how essential it is for an organization
to have proper knowledge management. A structured approach to
achieving knowledge management is to use a knowledge management
framework. Therefore, to get a better overview of existing frameworks
and obtain the most sound KMF, next chapter will provide compar-
isons of the most notable frameworks.
22
3. Knowledge Management
KM failure
factors
Overemphasis on formal
learning, systematization,
and determinant needs
23
4 Overview of various knowledge management
frameworks
In order to choose a suitable KMF to implement, this chapter is ori-
ented on analyzing and comparing different KMFs. Three different
types of frameworks are distinguished: prescriptive frameworks which
prescribe specific KM tasks (KM processes), descriptive frameworks
which identify attributes of KM which impact its success and failure,
and frameworks which depict both KM processes/tasks and the fac-
tors that influence knowledge management activities [18]. To develop
a comprehensive result, frameworks with a combination of both com-
ponents were taken as a starting point. The most important paper for
the analysis was "Harmonisation of knowledge management – com-
paring 160 KM frameworks around the globe" [19], which compares
160 different KMFs.
The following five frameworks cover every concept mentioned
above: a systems thinking framework for knowledge management
(see section 4.1), a framework of critical failure factors in KM projects
(see section 4.2), a threefold knowledge management framework (see
section 4.3), GPO-WM○ R
ramework (see section 4.4) and the European
KM framework (see section 4.5). This chapter describes each of them
and compares them to each other.
24
4. Overview of various knowledge management frameworks
organi-
zational
culture
tacit &
learn- KM explicit
ing tasks knowl-
edge
organi-
zational
strategy
25
4. Overview of various knowledge management frameworks
2. Knowledge identification;
3. Knowledge collecting;
4. Knowledge organizing;
5. Knowledge storage;
6. Knowledge sharing
7. KM evaluation;
For each of the stages, different critical failure factors are identified.
26
4. Overview of various knowledge management frameworks
27
4. Overview of various knowledge management frameworks
Knowledge Knowledge
identification collecting
Knowledge
KM evaluation organizing
Knowledge Knowledge
sharing storage
28
4. Overview of various knowledge management frameworks
29
4. Overview of various knowledge management frameworks
∙ Overreliance on technology;
4.2.7 KM evaluation
During the KM evaluation stage, a KM system is evaluated and its
flaws are identified in order to eliminate shortcomings. The following
failure factors are listed for this stage:
30
4. Overview of various knowledge management frameworks
31
4. Overview of various knowledge management frameworks
32
4. Overview of various knowledge management frameworks
4.4 GPO-WM○
R
Framework
In 2005, Heisig developed a knowledge management framework based
on different KMFs [19]. The framework consists of the three following
layers: Business process, Knowledge activities and enablers, which
influence the success of KM.
33
4. Overview of various knowledge management frameworks
4.4.3 enablers
The author identifies six enablers which influence success and sustain-
able knowledge management:
1. Culture;
6. Information technology;
A proper assessment is required to successfully implement KM for
the above mentioned enablers [19].
34
4. Overview of various knowledge management frameworks
8. evaluation
KM-Implementation
7. Implementation
6. Detailed planing
5. KM-solutions
2. Business process
KM-Strategy
1. Corporate area
35
4. Overview of various knowledge management frameworks
36
4. Overview of various knowledge management frameworks
37
4. Overview of various knowledge management frameworks
38
4. Overview of various knowledge management frameworks
Identify
Use
KM activities Create
Share
Store
39
4. Overview of various knowledge management frameworks
40
4. Overview of various knowledge management frameworks
The result of these phases is that the business processes with its
key knowledge resources are identified and their status is assessed by
the management team. Additionally, a KM project team is appointed.
41
4. Overview of various knowledge management frameworks
The last phase focuses on evaluating the project. The following is a list
of indications of successful KM projects:
42
4. Overview of various knowledge management frameworks
Phase E:
Evaluation
Phase A:
Setting up a KM Project
Phase D:
Implementation
Phase B:
Assessment
Phase C:
Development
Now that all the frameworks have been introduced, a proper com-
parison can be made between them. In this subsection, advantages
and disadvantages of each framework will be identified and weighed
against the others.
All of the frameworks described above identify knowledge manage-
ment processes (activities) and influential factors as main components
of the framework. However, there are still strong differences between
them.
The system thinking framework provides useful directions for
identifying the core components of KM frameworks and choosing
the frameworks which would be used for the prototype. However,
it does not address most of the influential factors which might have
43
4. Overview of various knowledge management frameworks
44
4. Overview of various knowledge management frameworks
45
5 Implementation of Knowledge Management
in CSIRT-MU
This chapter covers the practical part of the thesis. The context of
CSIRT-MU is described, which is followed by the prototype framework
and the resulting prototype knowledge management system.
5.1 CSIRT-MU
Masaryk University Computer Security Incident Response Team was
formed in May 2009 and is tasked with the defense of Masaryk Uni-
versity’s network. CSIRT-MU consists of three groups: the Incident
response group, the Proactive security group and the Secure digital
identities group [26].
5.1.2 Constituency
The constituency of CSIRT-MU is defined by a range of IP addresses:
for IPv4, these are the addresses within the range 147.251.0.0/16 and
for IPv6, these are the addresses within the range 2001:718:801::/48.
The domain muni.cz also belongs to the constituency [27].
46
5. Implementation of Knowledge Management in CSIRT-MU
47
5. Implementation of Knowledge Management in CSIRT-MU
48
5. Implementation of Knowledge Management in CSIRT-MU
49
5. Implementation of Knowledge Management in CSIRT-MU
50
5. Implementation of Knowledge Management in CSIRT-MU
51
5. Implementation of Knowledge Management in CSIRT-MU
52
5. Implementation of Knowledge Management in CSIRT-MU
March 2019
Start of Phase 2
Start of Phase 3
Phase 3: Evaluation of the suggesting solution
During the ’initial state’ step and ’focus setting’ step of the KM
audit, the relevant documents regarding incident handling processes
and procedures were analyzed. Additionally, several members of the
incident handling team were approached for the interviews.
During the ’adjustment of inventory’ and ’survey’ steps, customized
questionnaires were prepared regarding the incident handling pro-
cess and interviews were performed. It should be mentioned here
that the sole reason for these interviews was to create an overview of
knowledge domains and processes within the team. As a result, new
answers led to new questions that were incorporated in every new
interview, so the questionnaires were altered in between interviews.
53
5. Implementation of Knowledge Management in CSIRT-MU
54
5. Implementation of Knowledge Management in CSIRT-MU
55
5. Implementation of Knowledge Management in CSIRT-MU
56
5. Implementation of Knowledge Management in CSIRT-MU
57
5. Implementation of Knowledge Management in CSIRT-MU
have been performed and other details regarding the tasks. RTIR is an
incident-handling tool which provides functionality for CSIRT/CERT
teams to track, respond to and deal with computer incidents [31]. RT
provides an articles module which is a knowledge based system and
supports knowledge management activities for storing and managing
explicit knowledge (shown in Figure 5.2). RT provides the possibility of
organizing articles into classes and topics, and supports customization
of articles by defining custom fields for all classes of articles. These
custom fields are user-defined properties and users can define the
name, the type and which parts of RT it applies to. RT articles are not
used by incident handling group, but in particular, the function of
articles could be used to integrate documents and manage explicit
knowledge.
It is clear that both options have the possibility that with further
development they could be valid KM solutions. This means that an
in-depth comparison should be made to determine which option is the
best for an appropriate KM system for the incident handling service.
The following section compares RT articles and Redmine knowledge
58
5. Implementation of Knowledge Management in CSIRT-MU
59
5. Implementation of Knowledge Management in CSIRT-MU
60
5. Implementation of Knowledge Management in CSIRT-MU
are resolved manually, the main focus was on these queues to integrate
guidelines from the incident handling manual into RT.
The integration of the incident handling manual in RT/RTIR was
done in the following way: for each category of incident in general
queue, the relevant sections were chosen from the incident handling
manual and added as articles in the dedicated class ("incident handling
manual class") in RT/RTIR. When an incident handler determines
the category of the incident in RT/RTIR, the article corresponding to
the incident category shows up (shown in Figure 5.3). In this way, an
incident handler does not need to manually find the right section of
the right document anymore, which optimizes the process. For the
Info queue, articles with the name "Info" are accessible when an actual
ticket is created.
Incident handling
manual document RT articles Incidents
in RT/RTIR
General queue
:
Phishing Phishing
1. Phishing
2. Spam
3. DDoS Spam Phishing
4. DoS
5. Account compromised DDoS DDoS
6. ....
61
5. Implementation of Knowledge Management in CSIRT-MU
handler can add custom or already used tags. The benefit of using
this specific functionality, is that RT checks its tag database while a
key word is being typed and autocorrects to a tag that already exists.
This will be helpful for an incident handler to search incidents with
similar patterns and check the comments which were made by incident
handler.
62
5. Implementation of Knowledge Management in CSIRT-MU
organization, the link would make it easier to find the new document
and make sure that the latest version is used. Another benefits of
this approach is that right now the documents are saved in different
system, and in this way it could be able to create one central point for
accessing the explicit knowledge.
63
5. Implementation of Knowledge Management in CSIRT-MU
64
6 Conclusion
At the moment of the writing of this thesis, there is no documentation
on cases where KM has been applied to CSIRTs/CERTs, so this thesis
is the first attempt. This was achieved through separate literature re-
views on knowledge management and incident response and applying
the concepts from that literature to the case of the incident handling
team of CSIRT-MU. I developed a customized framework for a knowl-
edge management implementation for the incident handling team of
CSIRT-MU based on the literature review of state-of-the-art KMFs. I
chose elements from different frameworks for the custom KMF and
developed a customized implementation plan of the afore-mentioned
framework.
The aim of the thesis was to suggest a prototype of a Knowledge
Management System for the incident handling team of CSIRT-MU,
which would provide improvement of the knowledge management
of their business processes. The KM implementation for the incident
response team was done in three phases: Assessment of knowledge
management, development of a prototype and an evaluation of the
prototype. As a result of the first two phases, the Knowledge require-
ments were identified and solutions were found to address the KM
requirements. In the last phase, the prototype was evaluated by the
incident handlers to ensure that the requirements were met. Now the
suggested KMS can be deployed to the operational environment of
CSIRT-MU and then evaluated in practice.
While working on this thesis, I faced several challenges, but the
nature of incident response teams was the most challenging factor as
most of the information is confidential. In contrast, developing and
analyzing KM in an organization requires detailed and explicit infor-
mation about the organizational structure, processes, culture, tools
used in processes and more. During the implementation of KM in
CSIRT-MU, I did not have full access to such information, therefore the
data had to be acquired during the interviews and from studying the
incident handling manual in a restricted environment. Another chal-
lenge was to study the Request Tracker system and get familiar with
its capabilities and how it is used in practice by CSIRT-MU. The latter
was again confidential, so the only source of information about how
65
6. Conclusion
the incident handlers of CSIRT-MU use the system was the interviews.
Another challenge was studying the concept of KM and creating the
prototype framework which would be suitable for CSIRT-MU, as there
is no general consensus on how KM should be done.
66
6. Conclusion
that the people involved are willing, convinced and trained to achieve
the best possible benefits from the suggested KM system.
67
Bibliography
1. Handbook for Computer Security Incident Response Teams. Carnegie Mel-
lon University, 2013.
2. MIROSLAW MAJ MSC, Roeland Reijers; MSC, Don Stikvoort. Good
Practice Guide for Incident Management. European Network and in-
formation Security Agency (ENISA), 2010.
3. RFC 2350 CERT-EU. 2011.
4. CSIRT-RU [online]. Radboud University [visited on 2018-10-06]. Avail-
able from: https : / / www . ru . nl / ict / algemeen / informatie -
beveiligen/informatiebeveiliging/cert-ru/rfc-2350.
5. DAVENPORT Thomas H, Prusak Laurence. Working Knowledge : How
Organizations Manage What They Know. Boston, Massachusetts: Har-
vard Business School Press, 1998.
6. TSOUKAS, H.; VLADIMIROU, E. What is Organizational Knowledge?
Journal of Management Studies. 2001.
7. TAKEUCHI, Hirotaka. The New Dynamism of the Knowledge-Creating
Company. In: TAKEUCHI, Hirotaka; SHIBATA, Tsutomu (eds.). In
Japan Moving Toward a More Advanced Knowledge Economy: Advanced
Knowledge—Creating Companies. Washington (D.C.): World Bank In-
stitute (WBI), 2006.
8. HORVATH, A. Working with Tacit Knowledge. In: JAMES W. COR-
TADA, John A. Woods (ed.). The Knowledge Management Yearbook
2000-2001. Butterworth-Heinemann, 2000.
9. Knowledge management tools [online]. Alan Frost, 2010 [visited on 2018-07-08].
Available from: https://www.knowledge-management-tools.net.
10. DIMATTIA, S.; ODER, N. Knowledge management: hope, hype, or harbinger?
Library Journal. 1997, vol. 122, no. 15.
11. AMR ARISHA, Mohamed Ragab. Knowledge Management and Measure-
ment: a Critical Review. Journal of Knowledge Management. 2013,
vol. 17.
68
BIBLIOGRAPHY
69
BIBLIOGRAPHY
70
A The questions for interviews
3. Where are all documents located and how can you find them?
Are these documents organized and easily accessible by all the
team members?
71
A. The questions for interviews
72
B The questionnaire for the evaluation of sug-
gested solution
1. Will you use the integrated incident handling manual in RT?
What would you improve about it? What do you see as a draw-
back?
∙ Training materials
∙ Legal documents
∙ Scripts
∙ Lesson learned from incidents
∙ Manuals and Guidelines
73
C The content of the thesis archive
The thesis archive available at https://is.muni.cz/auth/th/pupg1/
includes the virtual environment for a prototype of a knowledge man-
agement system for incident response teams, built in Request Tracker.
The advantages of this system are centralization and automatic linking
of necessary documents and faster communication between different
parties. The files are organized in the following structure:
∙ ansible
* roles: The folder contains ansible roles.
- ansible-conf.yml: The configuration for ansible playbook.yaml.
- playbook.yml: The configuration of ansible.
- README.md: The file provides information regarding the ansi-
ble roles.
74