Organizations owning cyber-infrastructure assets face large scale distributed attacks on a regular basis. In the face of increasing complexity and frequency of such attacks, we argue that it is insufficient to rely on organizational incident response teams or even trusted coordinating response teams. Instead, there is need to develop a framework that enables responders to establish trust and achieve an effective collaborative response and investigation process across multiple organizations and legal entities to track the adversary, eliminate the threat and pursue prosecution of the perpetrators. In this work we develop such a framework for effective collaboration. Our approach is motivated by our experiences in dealing with a large-scale distributed attack that took place in 2004 known as Incident 216. Based on our approach we present the Palantir system that comprises conceptual and technological capabilities to adequately respond to such attacks. To the best of our knowledge this is the first work proposing a system model and implementation for a collaborative multi-site incident response and investigation effort.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Cyber Storm Exercise Report. National Cyber Security Division, U.S. Department of Homeland Security, September, 2006, 2006.
	2	Tanvir Ahmed , Anand R. Tripathi, Specification and verification of security requirements in a programming model for decentralized CSCW systems, ACM Transactions on Information and System Security (TISSEC), v.10 n.2, p.7-es, May 2007  [doi>10.1145/1237500.1237503]
	3	C. Alberts, A. Dorofee, G. Killcrece, R. Ruefle, and M. Zajicek. Defining Incident Management Processes for CSIRTs: A Work in Progress. Technical Report CMU/SEI-2004-TR-015, Software Engineering Institute, Carnegie Mellon University, 2004.
	4	P. Bajcsy, R. Kooper, L. Marini, B. Minsker, and J. Myers. CyberIntegrator: A Meta-Workflow System Designed for Solving Complex Scientific Problems using Heterogeneous Tools. In Proceedings of the Geoinformatics Conference, May 2006.
	5	V. Baryamureeba and F. Tushabe. The Enhanced Digital Investigation Process Model. Process Model Asian Journal of Information Technology, 2006.
	6	N. Beebe and J. G. Clark. A hierarchical, objectives-based framework for the digital investigations process. Digital Investigation, 2(2):147--167, 2005.
	7	Rakesh Bobba , Joe Muggli , Meenal Pant , Jim Basney , Himanshu Khurana, Usable secure mailing lists with untrusted servers, Proceedings of the 8th Symposium on Identity and Trust on the Internet, April 14-16, 2009, Gaithersburg, Maryland  [doi>10.1145/1527017.1527032]
	8	M. J. W. Brown, D. Stikvoort, K. P. Kossakowski, K. P. Kossakowski, G. Killcrece, R. Ruefle, and M. Zajicek. Handbook for Computer Security Incident Response Teams (CSIRTs). CMU/SEI-2003-HB-002, April, 2003, 2003.
	9	N. Brownlee , E. Guttman, Expectations for Computer Security Incident Response, RFC Editor, 1998
	10	Y. Dora Cai , David Clutter , Greg Pape , Jiawei Han , Michael Welge , Loretta Auvil, MAIDS: mining alarming incidents from data streams, Proceedings of the 2004 ACM SIGMOD international conference on Management of data, June 13-18, 2004, Paris, France  [doi>10.1145/1007568.1007695]
	11	B. Carrier and E. H. Spafford. Getting Physical with the Digital Investigation Process. International Journal of Digital Evidence, 2(2), Fall 2003.
	12	B. Carrier and E. H. Spafford. An Event-Based Digital Forensic Investigation Framework. In DFWRS'04: Proceedings of the 4th Digital Forensics Research Workshop, 2004.
	13	S. Ó. Ciardhuáin. An Extended Model of Cybercrime Investigations. International Journal of Digital Evidence, 3(1), Summer 2004.
	14	Premkumar T. Devanbu , Stuart Stubblebine, Software engineering for security: a roadmap, Proceedings of the Conference on The Future of Software Engineering, p.227-239, June 04-11, 2000, Limerick, Ireland  [doi>10.1145/336512.336559]
	15	B. Fraser, Site Security Handbook, RFC Editor, 1997
	16	J. Giordano and C. Maciag. Cyber Forensics: A Military Operations Perspective. International Journal of Digital Evidence, 1(2), Summer 2002.
	17	T. Grance, K. Kent, and B. Kim. Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-61, January 2004.
	18	R. S. C. Ieong. FORZA - Digital forensics investigation framework that incorporate legal issues. Digital Investigation, 3(Supplement-1):29--36, 2006.
	19	H. Khurana, J. Heo, and M. Pant. From proxy encryption primitives to a deployable secure-mailing-list solution. In ICICS'06: International Conference on Information and Communications Security, pages 260--281, 2006.
	20	Himanshu Khurana , Adam Slagell , Rafael Bonilla, SELS: a secure e-mail list service, Proceedings of the 2005 ACM symposium on Applied computing, March 13-17, 2005, Santa Fe, New Mexico  [doi>10.1145/1066677.1066752]
	21	G. Killcrece, K.-P. Kossakowsk, R. Ruefle, and M. Zajicek. Organizational Models for Computer Security Incident Response Teams (CSIRTs). Technical Report Report: CMU/SEI-2003-HB-001, Carnegie Melon University/Software Engineering Institute, 2003.
	22	K. Leune and S. Tesink. Designing and developing an Application for Incident Response Teams. In FIRST'06: Forum for Incident Response Teams Conference, Baltimore, MD, USA, June 2006.
	23	S. Mitropoulos, D. Patsos, and C. Douligeris. On Incident Handling and Response: A state-of-the-art approach. Computers & Security, 25(5):351--370, July 2006.
	24	G. Palmer. A Road Map for Digital Forensic Research. Technical Report Technical Report DTR-T001-01, Report From the First Digital Forensic Research Workshop (DFRWS), 2001.
	25	M. Pollitt. Computer Forensics: an Approach to Evidence in Cyberspace. In Proceedings of the National Information Systems Security Conference, volume 2, pages 487--491, 1995.
	26	Mark M. Pollitt, An Ad Hoc Review of Digital Forensic Models, Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering, p.43-54, April 10-12, 2007  [doi>10.1109/SADFE.2007.3]
	27	Chris Prosise , Kevin Mandia , Matt Pepe, Incident Response and Computer Forensics, Second Edition, McGraw-Hill Osborne Media, 2003
	28	M. Reith, C. Carr, and G. Gunsch. An Examination of Digital Forensic Models. International Journal of Digital Evidence, 1(3), Fall 2002.
	29	Richard L. Rollason-Reese, Incident handling: an orderly response to unexpected events, Proceedings of the 31st annual ACM SIGUCCS conference on User services, p.97-102, September 21-24, 2003, San Antonio, TX, USA  [doi>10.1145/947469.947496]
	30	R. Rowlingson. A Ten Step Process for Forensic Readiness. International Journal of Digital Evidence, 2(3), Winter 2004.
	31	G. Ruibin, C. Kai, Y. Tony, and M. Gaertner. Case-Relevance Information Investigation: Binding Computer Intelligence to the Current Computer Forensic Framework. International Journal of Digital Evidence, 4(1), Spring 2005.
	32	S. Schechter, J. Jung, W. Stockwell, and C. McLain. Inoculating SSH Against Address Harvesting. In NDSS'06: The 13th Annual Network and Distributed System Security Symposium, San Diego, CA, February 2006.
	33	Adam Slagell , Kiran Lakkaraju , Katherine Luo, FLAIM: a multi-level anonymization framework for computer and network logs, Proceedings of the 20th conference on Large Installation System Administration, p.6-6, December 03-08, 2006, Washington, DC
	34	P. Stephenson. Modeling of Post-Incident Root Cause Analysis. International Journal of Digital Evidence, 2(2), Fall 2003.
	35	Jesse Vincent , Dave Rolsky , Darren Chamberlain , Richard Foley , Robert Spier, RT Essentials, O'Reilly Media, Inc., 2005
	36	X. Yin, W. Yurcik, and A. Slagell. VisFlowCluster-IP: Connectivity-Based Visual Clustering of Network Hosts. In 21st IFIP TC-11 International Information Security Conference (SEC '06), May 2006.