CSIRTs and the distribution of sensitive data

Andrew's recent post on the legal issues of cleaning up after botnet infections has prompted me to write something about how the way that Janet CSIRT operates helps with these issues in our community.

During our investigation of incidents we frequently encounter logs and datasets that contain potentially sensitive information. These are frequently sourced from data breaches or malware infections - and more often than not from third party systems outside of Janet. The data can contain personal data, payment card data or details of network traffic from Janet systems. On at least one occasion we've dealt with a breach of sensitive medical information.

Ideally in these cases the only information we are exposed to relates to Janet customers. Unfortunately determining which data relates to our customers can be a difficult task. Do we filter based on IP addresses allocated via Janet? IP addresses routed through Janet? Data relating to ac.uk domains? What about ac.uk domains hosted off Janet? Inevitably we end up filtering data from larger datasets.

Using our internal customer records we can then further split the data according to the customer it relates to and then route it to the appropriate security contacts. The approach of having a central point of coordination such as a CSIRT ensures that data is not exposed to more people than is necessary, but that it is still effectively disseminated to help those affected by the incident.