Best Practices Contest 2009

Kyoto (JP), June 28 - July 03, 2009

Best Practices Contest 2009: Detect

For the second year in a row, the CERT Coordination Center (CERT/CC) and the Forum of Incident Response and Security Teams (FIRST) jointly hosted an international competition to honor best practices and advances in safeguarding the security of computer systems and networks. The purpose of the contest was to solicit best practices that prevent cyber attacks or mitigate attacks that are unfolding so that others may benefit from the knowledge. The contest was held in conjunction with the 2009 FIRST annual conference in Kyoto, Japan.

The topic of the competition was chosen from the phases of a computer security incident response team's cycle of activity: Protect, Detect, Respond and Sustain. This year's topic was "Detect."

2009 Winners

Call for Submission: System and Network Security Best Practices

The Forum of Incident Response and Security Teams (FIRST) annual conference brings together computer security incident response teams (CSIRTs), government officials, researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the field of computer system and network security. FIRST and the CERT Coordination Center (CERT/CC) will host a best practices contest during the 2009 FIRST annual conference in Kyoto, Japan. The purpose is to identify and share the CSIRT community's best practices in order to help organizations use methods that most effectively mitigate security threats globally.

All interested parties are encouraged to submit the best practices they use to improve and maintain a high standard of information security in the topic area described below. Submissions are due by May 11, 2009 at 11:59pm (U.S. Eastern Daylight Time, UTC-4).

An evaluation committee will review the submitted best practices and award the top two. FIRST and the CERT/CC will present the awards during the 2009 FIRST annual conference.

First place will be awarded USD 5,000 (five thousand US Dollars), and second place will receive a USD 2,500 (twenty five hundred US Dollars) award.

Best Practices Contest Topic: Detect

The topic for this year's best practices contest is chosen from the operational activity cycle within CSIRTs. This cycle is typically divided into four categories: Protect, Detect, Respond, and Sustain.


Last year, the topic for submissions was Protect. This year's topic is focused on the Detect category. In the Detect process, information about potential incidents, vulnerabilities, or other computer security or incident management information is gathered either reactively (received from internal or external sources in the form of reports or notifications) or proactively (monitoring indicators of possible incidents or the exploitation of vulnerabilities through mechanisms such as network monitoring or IDS).

Detection steps can include the following:

  • noticing events and reporting or handling those events
  • proactively monitoring indicators such as network monitoring, IDS, or technology watch functions
  • analyzing the indicators being monitored (to determine any notable activity that might suggest malicious behavior or identify risk and threats to the enterprise infrastructure)
  • analyzing historical data to develop better ways of detecting events

Detect can apply to both human and automated processes for detection and analysis.

Best Practices Submission Guidelines

  • Individuals, working groups, teams, or organizations can submit their best practices. The submitter does not need to be a member of FIRST.
  • All submissions should be made by the intellectual property owner or with the permission of the owner. Where employer, client, or government authorization is needed, it is the responsibility of the author(s) to obtain such authorization prior to submitting the final materials.
  • All submissions must reflect original work and must adequately document any overlap with previously published or simultaneously submitted papers from any of the authors.
  • FIRST and the CERT/CC require a non-exclusive, royalty-free copyright license for all submitted papers. This includes distribution on websites and in publications.
  • FIRST and the CERT/CC reserve the right to edit submissions for style, grammar and length.
  • Paper submissions are due by May 11, 2009 at 11:59pm (U.S. Eastern Standard Time, UTC-5, firm deadline). All submissions should be made online via email. Submissions should be finished, complete papers.
  • Submissions received after the deadline will not be considered unless the evaluation committee chair has granted an extension.
  • Submit papers to Submission will be acknowledged within 48 hours of receipt.
  • Submissions must be in RTF format.
  • All submissions will be judged on originality, relevance, correctness, and clarity.
  • For blind review, some information may be sanitized from the original paper by collectors before distributing to the evaluation committee.
  • Papers accompanied by nondisclosure agreement forms will not be considered. All submissions will be treated as confidential prior to publication.
  • Send questions about submissions to